Certificate for DNSWatchGO

Hi Guys,

When we install the DNSWatchGO client, everytime a block occurs we get a Certificate Error on the Browser.

Where can we download the DNSWatchGO Certificate Authoritity?

Should the client install the CA during the setup?

Thanks in advance

Comments

  • James_CarsonJames_Carson Moderator, WatchGuard Representative

    Hi @jmsoares91

    The CA that the block page you're seeing is signed by a public CA -- but it's not signed for the domain that your browser is looking for. There will always be a certificate error here, as there will be a cert name mismatch.

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • edited December 2020

    @James_Carson said:
    Hi @jmsoares91

    The CA that the block page you're seeing is signed by a public CA -- but it's not signed for the domain that your browser is looking for. There will always be a certificate error here, as there will be a cert name mismatch.

    Thank you,

    Hi we used avast/zscaler dns before and the had a root CA and if installed we never gets a certificate error after a redirect to there sink hole
    Now I get a certificate error ever time a site is inspected by dns-watch

  • James_CarsonJames_Carson Moderator, WatchGuard Representative

    Hi @ConnectNow

    It'll be impossible for the blackhole server to predict what you typed in, so the cert will never match. If there was something like an application on each PC (like dnswatchGo), this may be possible -- but the blackhole server out on the internet itself will never know what it is. DNS resolution happens long before the request (by IP) gets to the blackhole.

    -James Carson
    WatchGuard Customer Support

  • edited December 2020

    @James_Carson said:
    Hi @ConnectNow

    It'll be impossible for the blackhole server to predict what you typed in, so the cert will never match. If there was something like an application on each PC (like dnswatchGo), this may be possible -- but the blackhole server out on the internet itself will never know what it is. DNS resolution happens long before the request (by IP) gets to the blackhole.

    How is avast / zscaler doing this?

    See the screenshots from a iPad without a dns agent installed ( not available for iOS) installing there root CA create error free redirects

    Secure web gateway is avast dns watch with including off premises ssl inspection. How I understand do both products redirects on the same way and by watchguard we getting CA errors and on avast we don’t if we install there root CA

  • James_CarsonJames_Carson Moderator, WatchGuard Representative

    Hi @ConnectNow
    Based on the screenshot description, it's likely using a piece of software to help with that. There is a feature request for the DNSWatch Go client -- but just via DNS redirection, which is what the firewall is doing, there is no way to display that error.

    -James Carson
    WatchGuard Customer Support

  • edited December 2020
    100% sure there is no software on the iPads and iOS Device only a Root CA.

    Avast does not have a iOS agent for there cloudcare platform. The thing only you have to do is point your dns to the Zscaler dns and install the CA.
  • James_CarsonJames_Carson Moderator, WatchGuard Representative

    There is an open feature request to have the firebox generate the deny pages vice being redirected to a static page (by IP) on the internet. That type of action should generate the type of result you're looking for. That feature request is DNSW-505.

    -James Carson
    WatchGuard Customer Support

  • edited December 2020
    Great i will have a look in that feature request.

    How about Soho Customers there are passport only Customers and do nog have a Firebox and use a dns Watch go agent on there laptop and desktop. Only the rest of device’s requests are forward by there Home router.

    It could be a nice win for passports /dnswatch go to move the ssl/https inspection and sandboxing to cloud like avast did.
Sign In to comment.