Common DNS Exploits

The WatchGuard DNS proxy provides protection from these attacks (among others):

Name	Type of Attack	Method of Attack	Transport	CVE	Source Code*	Notes
tsig	shell	Buffer overflow	UDP/TCP	CVE-2001-0010	Yes, although it is unverified in its simplest form of attachment (DoS)	The exploit in its general form sends a DNS request (UDP or TCP) containing arbitrary code to the server. When the server crashes, the arbitrary code is inserted onto the server and run. This can be any code, so the subsequent TCP session that the script invokes is irrelevant. The proxy rejects a packet that contains arbitrary code, protecting from any damage beyond a simple DoS.
nxt**(ADMROCKS)	shell	Buffer overflow	TCP	CVE-1999-0833	Yes	Server crash and shell access happen simultaneously over TCP response to a standard query from the targeted server. The proxy blocks the response. This means the user must be proxying outbound DNS requests.
iquery	shell	Buffer overflow	TCP	CVE-1999-0009	Yes	Uses a malformed iquery.
infoleak	Information leak	Unclear	UDP	CVE-2001-0012	Yes	This exploit exposes the program stack (apparently read-only). Information gained is used with other exploits in gaining remote shell access. Blocking inverse queries prevents this attack.
zxfr	DoS	Segmentation violation	TCP	CVE-2000-0887	Yes	If a compressed zone transfer (qtype zxfr) is requested from a server for which zxfr is not enabled, the server can crash.
srv	Dos	Unknown	UDP	CVE-2000-0888	Yes	SRV is a query type blocked by default.
so_linger	DoS	Bad TCP sequence	TCP	CVE-1999-0837	Yes	This exploit is based upon irregular TCP sequences.
sig	DoS	Segv	UDP	CVE-1999-0835	Yes	SIG is a query type blocked by default.
* All source code was found on the Internet, indicating that, for these known bugs, there are known exploits in wide circulation.
** On the SANS top 10 list.

Return to Top