Adding The Dns Proxy Service - Watchguard Firebox X1000 User Manual

Chapter 9: Configuring Proxied Services
valid transaction signature but no valid key, processing
steps that initialize important variables (notably the
required buffer size) are skipped. Subsequent function
calls make invalid assumptions about the size of the
request buffer, which can cause requests with legitimate
transaction signatures and keys to trigger a buffer over-
flow. Used in conjunction with other attack tools, this type
of attack results in a server crash and the attacker gaining
unauthorized access to your root shell through an out-
bound TCP connection. Using this connection, the attacker
can execute arbitrary code on your network.
Some versions of BIND are also vulnerable to another type
of buffer overflow attack that exploits how NXT (or next)
records are processed. Attackers can set the value of a key
variable such that the server crashes and the attacker gains
unauthorized access. The DNS proxy protects your DNS
servers from both the TSIG and NXT attacks, along with a
number of other types of DNS attacks. For more informa-
tion on the DNS proxy, see the DNS Proxy section of the
following collection of FAQs:
https://support.watchguard.com/advancedfaqs/proxy_main.asp
Unless you have a DNS server for public use, you should not
use this proxy.

Adding the DNS Proxy Service

When you add the DNS proxy, you can best protect your
network by applying the proxy to both inbound and out-
bound traffic. You can also set up the DNS proxy so that
any denied packets (inbound or outbound) generate log
records. You can use LogViewer to check your log files for
records that indicate DNS attacks, which in turn lets you
see how often and from where you were attacked.
1
On the toolbar, click the Add Services icon.
2 Expand the Proxies folder.
A list of pre-configured proxies appears.
156
N
OTE
WatchGuard Firebox System