Common DNS Exploits

The WatchGuard DNS proxy provides protection from these attacks (among others):




Type of Attack
Method of Attack
Source Code*
tsig shell Buffer
UDP/TCP CVE-2001-0010 Yes, although it is unverified in its simplest form of attachment (DoS) The exploit in its general form sends a DNS request (UDP or TCP) containing arbitrary code to the server. When the server crashes, the arbitrary code is inserted onto the server and run. This can be any code, so the subsequent TCP session that the script invokes is irrelevant. The proxy rejects a packet that contains arbitrary code, protecting from any damage beyond a simple DoS.
nxt**(ADMROCKS) shell Buffer
TCP CVE-1999-0833 Yes Server crash and shell access happen simultaneously over TCP response to a standard query from the targeted server. The proxy blocks the response. This means the user must be proxying outbound DNS requests.
iquery shell Buffer
TCP CVE-1999-0009 Yes Uses a malformed iquery.
infoleak Information leak Unclear UDP CVE-2001-0012 Yes This exploit exposes the program stack (apparently read-only). Information gained is used with other exploits in gaining remote shell access. Blocking inverse queries prevents this attack.
zxfr DoS Segmentation violation TCP CVE-2000-0887 Yes If a compressed zone transfer (qtype zxfr) is requested from a server for which zxfr is not enabled, the server can crash.
srv Dos Unknown UDP CVE-2000-0888 Yes SRV is a query type blocked by default.
so_linger DoS Bad TCP sequence TCP CVE-1999-0837 Yes This exploit is based upon irregular TCP sequences.
sig DoS Segv UDP CVE-1999-0835 Yes SIG is a query type blocked by default.
* All source code was found on the Internet, indicating that, for these known bugs, there are known exploits in wide circulation.
** On the SANS top 10 list.


Return to Top

Copyright © 1996 - 2005 WatchGuard Technologies, Inc. All rights reserved.
Legal Notice/Terms of Use