Introduction to DNSWatch

Introduction to DNSWatch DNSWatch Overview Enable DNSWatch DNSWatch and Your Network DNS Precedence DNSWatch License Expiration Manage DNSWatch

DNSWatch Overview

DNSWatch Overview DNSWatch is a new cloud-based service that monitors DNS requests through the Firebox to prevent connections to known malicious domains DNSWatch protects against malicious clickjacking and phishing domains regardless of the connection type, protocol or port DNSWatch requires Fireware v12.1.1 or higher It is included in the Total Security Suite subscription at release Available as a trial subscription during Fireware v12.1.1 beta Supported models: Firebox T Series, M Series, XTMv, FireboxV and Firebox Cloud Not supported on a Firebox configured in Bridge Mode

DNSWatch Overview DNSWatch Components: Threat Intelligence — constantly updated feeds with information about threats based on domain DNS Servers — resolve DNS queries Blackhole Servers — destination for queries to blocked domains Dashboard — cloud-based management Firebox — redirects DNS queries to DNSWatch WatchGuard customers and service providers: Enable DNSWatch on the Firebox Log in to the WatchGuard Portal to manage DNSWatch Receive email alerts when a domains are denied

DNSWatch Overview

DNSWatch Threat Intelligence WatchGuard uses a complex set of heuristics to watch for malicious certificates and websites DNSWatch polls threat intelligence sources daily to identify new malicious domains and update the Fomain Feeds DNSWatch users can also share domains they manually add to the DNSWatch Blacklist with WatchGuard to help improve DNSWatch for all users

DNSWatch and the Firebox When the Firebox receives a DNS query from a host on a protected network, it forwards the request to DNSWatch DNSWatch evaluates whether the domain is a known threat If the domain is not a known threat: DNSWatch resolves the DNS query to the destination If the domain is a known threat: DNSWatch resolves the domain to the IP address of the DNSWatch Blackhole Server The DNSWatch Blackhole Server attempts to gather more information about the threat from the host endpoint For HTTP and HTTPS requests, the DNSWatch Blackhole Server displays a customizable deny page to the user

DNSWatch Deny Page When an HTTP connection is blocked, a customizable deny page appears to the user The Deny Page includes a short training exercise about how to recognize phishing attacks

DNSWatch Deny Page For a denied HTTPS connection, an invalid certificate notice appears first The Deny Page appears only if the user continues to the site

DNSWatch Email Alerts When DNSWatch denies a connection, DNSWatch sends an email alert to account administrators, with a link to alert details

Enable DNSWatch

DNSWatch Requirements Before you can enable DNSWatch on the Firebox, make sure your Firebox meets these requirements: Fireware OS v12.1.1 or higher A Total Security Suite subscription or a DNSWatch Beta Trial You can activate a second Beta Trial after the first DNSWatch Beta Trial expires You cannot activate a second DNSWatch Beta Trial until the first Beta Trial expires

Update the Firebox Feature Key Log in to Fireware Web UI Select System > Feature Key Click Get Feature Key Verify that the DNSWatch feature is enabled in the feature key

Enable DNSWatch in Policy Manager To enable DNSWatch from WSM Policy Manager, select Subscription Services > DNSWatch DNSWatch Registration status and DNS Server IP addresses do not appear in Policy Manager To see this information, log in to Fireware Web UI and select Subscription Services > DNSWatch

Enable DNSWatch in Fireware Web UI To enable DNSWatch, from Fireware Web UI: Select Subscription Services > DNSWatch Select Enable DNSWatch Service

Enable DNSWatch on the Firebox Select the Usage Enforcement option Usage Enforcement is disabled by default For most networks, we recommend you enable Usage Enforcement on some or all internal interfaces If you have internal DNS servers, review the deployment scenarios later in this presentation before you enable enforcement Click Save

Enable DNSWatch on the Firebox DNSWatch status is available only in Fireware Web UI DNSWatch status information includes: Registration Status DNS Servers Blackhole Servers

DNSWatch Regional DNS Servers DNSWatch will have DNS servers in three regions: North America – available now Ireland –planned for availability at GA Japan –planned for availability at GA DNSWatch sends the Firebox the IP addresses of DNS servers in the nearest region

DNSWatch Servers and Exceptions Many WatchGuard products and services are hosted on regional servers To make sure that these services connect to the closest regional server, the Firebox does not send DNS requests for these domains to DNSWatch when usage enforcement is enabled: watchguard.com (for services hosted by WatchGuard) ctmail.com (for spamBlocker) rp.cloud.threatseeker.com (for WebBlocker) If you enable DNSWatch without usage enforcement, you can manually add DNS Forwarding rules for these domains to make sure that these services connect to the closest regional server

DNSWatch Without Usage Enforcement If usage enforcement is disabled: Configure the local DNS server to use DNSWatch server IP address as the primary server for DNS resolution Copy the DNS Servers IP addresses from the DNSWatch page on the Fireware Web UI Paste the DNSWatch IP addresses into the DNS configuration on the local DNS server Add the IP address of a public DNS server as an alternate server for DNS resolution Configure any other local network hosts that use a manually configured DNS server to use the DNSWatch IP address For example, a local DHCP server or other local server

DNSWatch Without Usage Enforcement If usage enforcement is disabled, to make sure that WatchGuard services connect to a regional server: Add DNS Forwarding rules for these domains: watchguard.com ctmail.com rp.cloud.threatseeker.com For each rule, specify the IP address of a regional DNS server

Best Practices After you enable DNSWatch, we recommend that you not remove existing DNS server IP addresses from the Firebox configuration

DNSWatch License Expiration When DNSWatch expires, the Firebox uses the existing DNS settings in the Firebox network configuration If DNSWatch expires, and no DNS servers are configured on the Firebox: The Firebox continues to use DNSWatch for DNS lookups only. No alerts or configuration options are applied The Firebox generates a log message to alert you that DNS servers are missing

DNSWatch and Your Network

DNSWatch and Your Network The examples in this section show how DNSWatch fits in different network architectures

DNSWatch and Your Network Example 1 — Network without a local DNS server

DNSWatch and Your Network Example 2 — Network with a local DNS server Network DNS server list on the Firebox does not include the local DNS server

DNSWatch and Your Network For Example 2 — DNSWatch enforcement is enabled The Network (Global) DNS server list on the Firebox only includes public DNS servers. The local DNS server is not included. Configure DNS Forwarding rules for your local domain and local DNS server if the Firebox itself must resolve local FQDNs

DNSWatch and Your Network Example 3 — Network with a local DNS server Network DNS server list on the Firebox includes the local DNS server

DNSWatch and Your Network For Example 3 — DNSWatch enforcement is enabled The Network (Global) DNS server list on the Firebox has your local DNS server first and public DNS servers last

DNSWatch and Your Network For Example 3 — In this example, DNS requests for WatchGuard service domains are sent to DNSWatch instead of a public DNS server. The DNSWatch exception list is not used.

DNSWatch and Your Network Example 4 — Network with a local DNS server DNSWatch enforcement disabled

DNSWatch and Your Network For Example 4 — If you do not want to enable DNSWatch enforcement on your network, you can use this configuration You must manually add forwarders to DNSWatch DNS servers on your local DNS server Keep forwarders to public DNS servers as backup options

DNSWatch and Your Network For Example 4 — You must also add DNS forwarding rules for WatchGuard service domains to make sure that these services connect to the closest regional server

DNSWatch and Your Network Example 5 — Network with mobile VPN users

DNSWatch and Your Network For Example 5 — DNSWatch enforcement is enabled Enforcement applies only to hosts on Trusted or Optional Firebox interfaces. Enforcement does not apply to mobile VPN users. Mobile VPN devices must point to the local DNS server The Network (Global) DNS server list on the Firebox has your local DNS server first and public DNS servers last Mobile VPN with IPSec, L2TP, and IKEv2 users get the DNS servers in the Network DNS server list on the Firebox. Make sure to include the local DNS server first in this list. Mobile VPN with SSL users get the DNS servers in the Mobile VPN with SSL settings on the Firebox. Make sure to include the local DNS server first in the Mobile VPN with SSL settings.

DNS Precedence

DNS Settings Precedence In some cases, DNSWatch takes precedence over these DNS servers that could already be configured on your Firebox: Network (Global) DNS server — Default DNS server for all interfaces and local processes on the Firebox Interface DNS server — Specified in the DHCP server settings for an interface DNS server obtained from your ISP — When Firebox is configured as a DHCP or PPPoE client

Precedence ─ Network DNS Server Network DNS servers When DNSWatch is enabled with enforcement on DNSWatch DNS servers take precedence over the public DNS servers in the Network DNS server list DNS queries for external resources are: Resolved by Firebox cache, or Sent to DNS servers specified in conditional DNS forwarding rules, or Sent to DNSWatch (in that order)

Precedence ─ Network DNS Server Network DNS servers When DNSWatch is enabled with enforcement off Public DNS servers in the Network DNS server list are used If the DNS Forwarding feature is not enabled, DNS queries for external resources generated by the Firebox itself or sent directly to the Firebox interface IP address are sent to DNSWatch If the DNS Forwarding feature is enabled, DNS queries for external resources are: Resolved by the Firebox cache, or Sent to DNS servers specified in conditional DNS forwarding rules, or Sent to DNSWatch (in that order)

Precedence ─ Interface DNS Server Interface DNS server (configured in interface settings) When DNSWatch is enabled with enforcement on, DNS queries for external resources are: Resolved by the Firebox cache, or Sent to DNS servers specified in conditional DNS forwarding rules, or Sent to DNSWatch (in that order) For a DHCP client with manually configured DNS servers, DNS queries for external resources are sent to DNSWatch because enforcement is on

Precedence ─ Interface DNS Server Interface DNS server (configured in interface settings) When DNSWatch is enabled with enforcement off DNS requests are sent to the interface DNS server instead of DNSWatch For a DHCP client with manually configured DNS servers, DNS queries are sent to the manually configured DNS servers instead of DNSWatch. To protect this client with DNSWatch, we recommend you change the manually configured DNS servers to the DNSWatch server IP addresses.

Precedence ─ DNS Server from ISP DNS server obtained from your ISP for a Firebox configured as a DHCP or PPPoE client Not used when DNSWatch is enabled DNS requests are sent to DNSWatch instead The Firebox continues to obtain DNS servers from your ISP and stores that information

Manage DNSWatch

Manage DNSWatch After you activate DNSWatch for a Firebox in your account, you can connect to DNSWatch in the WatchGuard Portal In the WatchGuard Support Center, select My WatchGuard > Manage DNSWatch

DNSWatch Dashboard The DNSWatch Dashboard provides DNS traffic data, top domain requests, top network requests, and a summary of monthly alerts. From the DNSWatch Dashboard you can add domains to the whitelist or blacklist, view reporting and alerts, change your settings, and customize the page users see when their HTTP or HTTPS connections are denied.

DNSWatch Dashboard The DNSWatch Dashboard provides: DNS traffic data Top domain requests Top network requests Monthly alert summary

DNSWatch Web UI On the Domains menu, you can select options to: Add domains to the Blacklist (Blackholed Domains) Add domains to the Whitelist See information about domain feeds Search for a domain on the Blacklist, Whitelist and Feeds

Blackholed Domains When you add a domain to the Blackholed Domains list: DNSWatch resolves all DNS requests for that domain to the IP address of the Blackhole Server When an HTTP or HTTPS connection is denied, a customizable Deny Page appears to the user To edit blackholed domains, select Domains > Blackholed The default list includes the test domain strongarm.test

Blackholed Domains To add a domain to the Blackholed Domains list: Click Blackhole a New Domain Specify the domain name To include all subdomains for the domain, select Include Subdomains To share the domain with WatchGuard, select Share this domain

Whitelisted Domains When you add a domain to the Whitelisted Domains list, DNSWatch considers the domain safe and resolves the IP address, even if the domain is on a Domain Feed To edit whitelisted domains, select Domains > Whitelisted

Whitelisted Domains To add a domain to the Whitelisted Domains list: Click Whitelist a New Domain Specify the domain name To include all subdomains for the domain, select Include Subdomains

DNSWatch Reports and Traffic History On the Reporting menu you can select options to: See weekly reports of DNS domain requests Search the DNS traffic history You can also click View Reports on the dashboard

DNSWatch Weekly Reports To see DNSWatch weekly reports, select Reporting > DNSWatch Weekly Reports Filter by week date range To filter the report for a specific network, select the network To see the top 20 domains without grouping by category, clear the Group domains by category check box

DNSWatch Weekly Reports By default, DNSWatch reports group some domains by category, such as Advertising

DNSWatch Weekly Reports

DNSWatch Traffic History To see DNS traffic history, select Reporting > DNS Traffic History Search for domains in DNS requests from computers on the protected networks History includes DNS traffic from the past week Results include only the exact domain name you specify

DNSWatch Alerts An alert summarizes one or more connections that DNSWatch denied to a domain from the same protected network

DNSWatch Alerts — Filter To filter the Alerts list, click Filter

DNSWatch Alerts — Status The Status column shows Alert status: Resolved  green check mark The alert was resolved by a DNSWatch user DNSWatch sends a notification if a resolved alert is seen again Unresolved  red x The alert is not resolved For unresolved alerts, the adjacent connection icon is red if there are active connections to the DNSWatch Blackhole Server for the alert

DNSWatch Alerts — Resolve Selected Alerts To resolve an alert Select the alerts Click Resolve Selected Alerts

DNSWatch Alerts — Resolve Selected Alerts If DNSWatch sees a DNS request that matches a resolved alert in the future, DNSWatch reopens the alert and sends a new notification You cannot resolve an alert that has an open connection

DNSWatch Alerts – View Details To see the details for an alert, click View

DNSWatch Alert Details The alert details includes victim information, destination information, and malware information

DNSWatch Alert Details Click Resolve Alert to change the status to Resolved Click Silence Alerts to stop email notification for the alert without changing the alert status

DNSWatch Alert Details – Discussion Select Discussion to see feedback from WatchGuard support, and add additional comments or questions

DNSWatch Alert Details – Domain Analysis Select Domain Analysis to view the domains that DNSWatch extracted from this infection Extracted domains are either the original destination domain, or domains related to it To add a blocked domain to your Whitelist, click Actions and select Add to Whitelist

DNSWatch Alert Details – Malware Analysis An alert may include multiple connections to a domain from the same protected network The Malware Analysis tab shows details about the first connection

DNSWatch Alert Details – Connections To see all connections associated with this alert select the Connections tab To see details for a connection, click View

DNSWatch Connection Information Connection information includes: Netflow data Hex dump of the first bytes sent by the victim Parsed protocol details

DNSWatch Alert Details – History The History tab for an alert is an audit trail of all actions taken for the alert by a DNSWatch user Changed the alert status to Resolved or Unresolved Silenced or enabled alert notification emails

DNSWatch Denied Connections To see a list of all connections that DNSWatch has denied, on the Alerts page click Connections

DNSWatch Denied Connections The list of denied connections includes the source IP address, source and destination ports, and protocol To see more information for a denied connection, click View

DNSWatch Settings — Profile To configure DNSWatch account settings, click your user name and then select Settings

DNSWatch Settings — Profile In the Profile settings you can change your time zone

DNSWatch Settings — Notifications In the Notification settings you can enable or disable email notifications for new alerts, or updates to existing alerts Email notifications go to the email address configured for your user account in the WatchGuard Portal

DNSWatch Settings — Protected Fireboxes To see a list of Fireboxes and networks protected by DNSWatch, click Protected Fireboxes This page shows the public IP addresses for all Firebox external interfaces

DNSWatch Settings — Deny Page You can customize the logo, text and colors of the Deny page

DNSWatch Settings — Deny Page To customize the deny page, click Block Page Content

Customize the Deny Page To customize the colors and logo, select Block Page Style

For More Information This introduction does not cover every feature of DNSWatch For more information about DNSWatch features, see Fireware Help

Thank You!