Refused-query forensics
When the query firewall refuses a query, it shows up here within seconds, source IP, country, the name they asked for, and which rule caught them. It’s the “who’s hitting me right now” view, at the grain of individual queries rather than the daily rollups on the Insights tab.
Use it to watch an attack as it happens, confirm a new firewall rule is catching what you intended, or spot a misconfigured client that’s hammering you.
Where to find it
console.dnswiz.app → Policies → Refused queries, live.
The card refreshes on its own. Its header turns amber when something was refused in the last five minutes, so you can catch a spike at a glance without opening it.
What each row shows
| Field | Meaning |
|---|---|
| When | How long ago the query was refused (12s, 4m, 1h). |
| Zone | The zone the query was for. |
| Query | The name and record type asked for (example.com. ANY). |
| Source | The resolver’s IP, plus country when we can resolve one. |
| Reason | Which rule refused it (see below). |
Reason codes
| Reason | The query was refused because… |
|---|---|
qtype-refused | its record type is in your refuse list (e.g. ANY/AXFR). |
ip-not-allowed | you have an allow-list and its source isn’t on it. |
ip-denied | its source is on your deny-list. |
country-not-allowed | you have a country allow-list and its country isn’t on it. |
country-denied | its country is on your deny-list. |
rate-limited | its source IP exceeded your per-source rate limit. |
Retention
This view is live, not an archive. It holds the most recent refusals (a few hundred per workspace, roughly the last hour) so you can react in the moment. It is deliberately not a long-term log:
- For trends over time, use the Insights tab’s refused-query breakdown.
- For a permanent record of policy changes (who turned a rule on, when), use the audit log under Settings.
If you need to keep a specific burst of refusals, export it via the API below while it’s still in the window.
Multi-region
dnswiz answers from more than one location. The live view merges refusals from every edge into one workspace-wide picture, you see “this query was refused,” not which region happened to handle the packet. That’s what matters for forensics: whether the traffic reached you at all.
It never slows your DNS
Recording refusals is best-effort and completely off the DNS hot path. If the forensics pipeline is ever backed up, events are dropped rather than queued, answering queries always wins. The panel can’t become the reason your DNS gets slow.
API access
curl https://api.dnswiz.app/v1/me/firewall/refused?limit=50 \
-H "Authorization: Bearer $DNSWIZ_API_KEY"{
"items": [
{
"zone_id": "a1b2c3d4-0000-0000-0000-000000000000",
"qname": "example.com.",
"qtype": "ANY",
"source_ip": "203.0.113.42",
"country": "RU",
"reason": "qtype-refused",
"checked_at_ms": 1779911185632
}
]
}Newest first. limit caps the response (1–200). Works with a session
token or an API key.
Current limits
- No alerting yet: the panel is something you watch, not something that pings you. On the roadmap.
- Workspace-wide: the panel isn’t filtered per zone; the API returns everything for your workspace and you can filter client-side.