WatchGuard Support Center

Knowledge Base - Article

 DNSWatch Blackhole Servers


DNSWatch Blackhole Servers

A key component of the DNSWatch solution is the Blackhole server. When DNSWatch resolvers receive a DNS request to a malicious domain, they return the IP address of the DNSWatch Blackhole server instead of the IP address of the requested domain. The Blackhole server collects data about the attempted connections to malicious domains from your protected networks, Fireboxes, and DNSWatchGO clients. The Blackhole server also hosts the DNSWatch block pages that users see in the browser when DNSWatch denies HTTP or HTTPS connections.

Data Collection and Malware Analysis

The Blackhole server receives the connection intended for the malicious domain and attempts to collect information about the client. This includes information such as the private IP address, host name, and username. This information appears on the Details tab for the alert and can help you identify the victim or victims.

Malware Analysis

The DNSWatch Blackhole server accepts the connection that was intended for the malicious domain and collects netflow traffic for analysis. DNSWatch parses the network protocols. The information DNSWatch collects for a connection appears in the Malware Analysis tab for an alert.


DNSWatch records the date and time of each attempted connection to the same denied domain. An alert combines information about all attempted connections from one protected network to the same malicious domain. The information about connections appears in the Connections tab for an alert.

SMTP and the Blackhole

SMTP traffic is redirected by DNSWatch if the mail server domain is blocked due to being on one of the DNSWatch feeds. The DNSWatch blackhole collects the headers associated with the mail, but not the content. It does not forward or deliver the email. The header data collected includes:
  • The sender and recipient's email addresses
  • Full name
  • The IP address of the sender
  • The subject line of the mail message
SMTP traffic is parsed to provide visibility and enable you to understand why a client or device on your network is sending mail to a blocked domain. The blackhole is not a functioning mail server and it does not relay email. The blackhole only completes the initial SMTP handshake since this is a prerequisite to the compromised client sending its data.

For more information, see About DNSWatch Blackhole Servers and Manage DNSWatch Alerts.