DNSWatch Blackhole Servers

A key component of the DNSWatch solution is the Blackhole server. When DNSWatch resolvers receive a DNS request to a malicious domain, they return the IP address of the DNSWatch Blackhole server instead of the IP address of the requested domain. The Blackhole server collects data about the attempted connections to malicious domains from your protected networks, Fireboxes, and DNSWatchGO clients. The Blackhole server also hosts the DNSWatch block pages that users see in the browser when DNSWatch denies HTTP or HTTPS connections.

Data Collection and Malware Analysis

The Blackhole server receives the connection intended for the malicious domain and attempts to collect information about the client. This includes information such as the private IP address, host name, and username. This information appears on the Details tab for the alert and can help you identify the victim or victims.

SMTP and the Blackhole

SMTP traffic is redirected by DNSWatch if the mail server domain is blocked due to being on one of the DNSWatch feeds. The DNSWatch blackhole collects the headers associated with the mail, but not the content. It does not forward or deliver the email. The header data collected includes:

• The sender and recipient's email addresses
• Full name
• The IP address of the sender
• The subject line of the mail message

SMTP traffic is parsed to provide visibility and enable you to understand why a client or device on your network is sending mail to a blocked domain. The blackhole is not a functioning mail server and it does not relay email. The blackhole only completes the initial SMTP handshake since this is a prerequisite to the compromised client sending its data.

For more information, see About DNSWatch Blackhole Servers and Manage DNSWatch Alerts.