Manualshelf

User guide

ManualsBrandsWatchguard ManualsComputer equipmentFirebox X1000
131132133134135136137138139140
Chapter 9: Configuring Proxied Services
124 WatchGuard Firebox System
attacks that cause a buffer overflow, which crash the targeted server and
enable the attacker to gain unauthorized access to your network.
One attack uses a flaw in the transaction signature (TSIG) handling code.
When BIND encounters a request with a valid transaction signature but
no valid key, processing steps that initialize important variables (notably
the required buffer size) are skipped. Subsequent function calls make
invalid assumptions about the size of the request buffer, which can cause
requests with legitimate transaction signatures and keys to trigger a
buffer overflow. Used in conjunction with other attack tools, this type of
attack results in a server crash and the attacker gaining unauthorized
access to your root shell through an outbound TCP connection. Using this
connection, the attacker can execute arbitrary code on your network.
Some versions of BIND are also vulnerable to another type of buffer
overflow attack that exploits how NXT (or next) records are processed.
Attackers can set the value of a key variable such that the server crashes
and the attacker gains unauthorized access. The DNS proxy protects your
DNS servers from both the TSIG and NXT attacks, along with a number of
other types of DNS attacks. For more information on the DNS proxy, see
the DNS Proxy section of the following collection of FAQs:
https://support.watchguard.com/advancedfaqs/proxy_main.asp
Adding the DNS Proxy Service
When you add the DNS proxy, you can best protect your network by
applying the proxy to both inbound and outbound traffic. You can also
set up the DNS proxy so that any denied packets (inbound or outbound)
generate log records. You can use LogViewer to check your log files for
records that indicate DNS attacks, which in turn lets you see how often
and from where you were attacked.
1 On the toolbar, click the Add Services icon.
2 Expand the Proxies folder.
A list of pre-configured proxies appears.
3 Click DNS-Proxy. Click Add.
The Add Service dialog box appears. You can change the name assigned to the
DNS proxy or change the comment associated with the proxy.
4 Click OK to close the Add Service dialog box.
The DNS-Proxy Properties dialog box appears.