Is DNSWatch login down?

At 11:30AM Pacific time on April 20th, I am unable to log into DNSWatch and I get the following error.

This page isn’t working
dnswatch.watchguard.com took too long to respond.
HTTP ERROR 504

I can log into the WatchGuard Cloud, but not DNSWatch.

Gregg

Gregg Hill

Comments

  • It works for me at this moment

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi Greg,
    I confirmed I was able to get to it.
    If you haven't done so already, try logging in again. If you're still running into a problem, I'd suggest opening a support case so we can get more details from you and track down the issue.

    -James Carson
    WatchGuard Customer Support

  • I had to reboot my T20-W running beta firmware and then I could get to the DNSWatch console. I was having a problem with reaching www.techradar.com and getting this message:

    www.techradar.com has been blocked by DNSWatch

    When I logged into the DNSWatch console, it shows "www[.]techradar[.]com" with no reason for the block. I clicked Actions > Add to Whitelist, only to be greeted with a "Domain with this name already exists" message. So this domain is already in my whitelist, yet it is being blocked. It has been in the whitelist since Feb. 26, 2021, 3:51 p.m., so it should not have been blocked at all.

    Gregg Hill

  • What is even more confusing is when I click Actions > Domain Information, it says:

    Access to www[.]techradar[.]com is allowed.
    Categories:
    Information Technology

    So, DNSWatch says it's allowed, but it blocks it!

    Gregg Hill

  • Well, this just gets even more weird. I deleted www.techradar.com from the whitelist, and I was able to reach the website afterwards.

    I think I am done with DNSWatch because it causes nothing but problems every time I enable it.

    Gregg Hill

  • I started noticing odd things trying to load websites and resolving host names yesterday afternoon and just recently all my users working in the office complaining of all these mysterious issues pinpointing to DNS.
    So I disabled DNS Watch in my Firebox and changed the DNS Forwarding order in my servers and all is good now.
    Something hinky is going on with DNS Watch. I suggest disabling until WG can resolve the issues.

    • Doug

    It's usually something simple.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @shaazaminator

    There's no service disruption with DNSWatch right now -- if you're having issues I'd suggest opening a support case so we can gather more information and help.

    I wouldn't recommend disabling a protective service like DNSWatch without first digging at the root cause.

    -James Carson
    WatchGuard Customer Support

  • @shaazaminator said:
    I started noticing odd things trying to load websites and resolving host names yesterday afternoon and just recently all my users working in the office complaining of all these mysterious issues pinpointing to DNS.
    So I disabled DNS Watch in my Firebox and changed the DNS Forwarding order in my servers and all is good now.
    Something hinky is going on with DNS Watch. I suggest disabling until WG can resolve the issues.

    • Doug

    I started having my issues with DNSWatch on April 20th and posted here at 11:35AM Pacific time. I finally gave up and just disabled DNSWatch.

    A protective service that is unreliable is not a good service. The multiple times I have enabled it, it has caused issues EVERY time, including downing my most important client one of those times. When it works, it's OK, but when it fails, you're toast. I'll stick with DNS servers like Quad9 or CleanBrowsing for now.

    Gregg Hill

  • @Greggmh123

    I may have to rescind my complaint against DNS Watch as my resolution by disabling it seems to have been fools gold, as user complaints kept pouring in.
    Not only with Internet, but more importantly email and inbound connections to in-house web servers.

    Come to find out the the issue was (still is) with any Proxy policy using Content Inspection. Namely HTTP and HTTPS both outbound and inbound. The real killer was the Outlook Web Access HTTPS inbound proxy which prevented any smart device or external Outlook client access to the server.

    Once I disabled Content Inspection on these policies everything just flowed.
    The real perplexing thing is these policies have been in place for a long time now and always worked fine, with no changes to them what so ever. Suddenly now they don't. Not just a single policy, but all of them mind you.
    They all incorporate AV, IPS, APT, Geo Location, Web Blocker... to varying degrees depending on the policies purpose.
    Maybe an update to one of these services may be the root cause?

    Of course, now with Content Inspection disabled I am increasing my risk exposure, but what else can I do?

    M470, 12.6.4

    • Doug

    It's usually something simple.

  • Doug,

    Content Inspection needs the "Fireware HTTPS Proxy" cert to be installed on any device going through DPI-enabled proxies in order to work without getting warnings. Is there any chance that "Fireware HTTPS Proxy" cert expired or got deleted/recreated on your M470? That's the only thing I can think of that would whack all of the proxies at once.

    BTW, 12.7 is out and works on the M470.

    Gregg Hill

  • Gregg,

    I've got all the proper certs configured. The WG proxy certs for outbound clients distributed through Group Policy, and third part certs for inbound proxy policies added to the FB certs.

    Have a ticket open now and WG engineers have been working on it for over a week now. Checked all settings, running TCP dumps, Wiresharking, uploading support files, reloading certs, you name it.

    Haven't heard back from WG support for a few days so they may be little stumped. Just like I am.

    I'll post the resolution once it is figured out.

    • Doug

    It's usually something simple.

  • @shaazaminator said:
    Gregg,

    I've got all the proper certs configured. The WG proxy certs for outbound clients distributed through Group Policy, and third part certs for inbound proxy policies added to the FB certs.

    Have a ticket open now and WG engineers have been working on it for over a week now. Checked all settings, running TCP dumps, Wiresharking, uploading support files, reloading certs, you name it.

    Haven't heard back from WG support for a few days so they may be little stumped. Just like I am.

    I'll post the resolution once it is figured out.

    • Doug

    @shaazaminator said:
    Gregg,

    I've got all the proper certs configured. The WG proxy certs for outbound clients distributed through Group Policy, and third part certs for inbound proxy policies added to the FB certs.

    Have a ticket open now and WG engineers have been working on it for over a week now. Checked all settings, running TCP dumps, Wiresharking, uploading support files, reloading certs, you name it.

    Haven't heard back from WG support for a few days so they may be little stumped. Just like I am.

    I'll post the resolution once it is figured out.

    • Doug

    Doug,

    The reason I brought up the certs is that you said "...these policies have been in place for a long time now and always worked fine, with no changes to them what so ever. Suddenly now they don't."

    That's why I wondered if the cert had expired and had been deleted & recreated, requiring you to push the new cert out to computers via GPO. You have the distribution covered via Group Policy, but I was just wondering about the certificate's validity, which I presume you and WG tech support have checked, so I am out of ideas!

    Gregg

    Gregg Hill

  • Got it Gregg,

    It appears that SD-Wan's link monitor was causing a network monitoring process to crash.
    This in turn caused all kinds of weird behavior in my proxy policies that utilized content inspection.
    There is a bug fix in 12.7, FBX-6435 that address this issue.
    I upgraded to 12.7, set my proxy polices back to content inspection and everything is working as designed.

    Shout out to our WG friend James on the forums here for taking over this ticket for and finding a resolution for me.

    For once it wasn't something simple. :D

    • Doug

    It's usually something simple.

  • That bug isn't in the V12.7 Known Issues list yet, alas.

Sign In to comment.