Category Archives: Watchguard

DNS Security Extensions and Why You Should Care

Tomorrow (May 5), at 17:00 GMT, all 13 root DNS servers on the Internet will begin using DNSSEC (Domain Name System Security Extensions) to reply to user requests. Here’s why you might care about this.

As most of our readers know, DNS is what translates the URL you type into your browser (like “”) into an IP address (like “″) that your computer can actually use to send packets of data across the Internet. If you have a Windows Server-based network, one (or more) of your Windows Servers is probably providing DNS services to the users on your network. But the DNS server on your network doesn’t automatically know where everything is. If it needs to resolve an address that doesn’t happen to already be in its local cache, it has to ask some other DNS server out on the Internet. Sometimes those queries go all the way to one of the root servers.

It’s been recognized for quite some time that the existing protocol used for DNS queries isn’t entirely secure. Therefore, the international standards bodies have been working on a more secure standard, which is DNSSEC. DNSSEC uses digital signatures to authenticate DNS responses, so your computer knows the response actually came from an authoritative DNS server.

So what’s the problem? The potential problem is that those DNS responses will arrive in significantly larger data packets than before. Specifically, rather than using UDP packets that are smaller than 512 bytes, the responses will not only be longer, but may be broken into multiple TCP packets. Some routers and firewalls specifically inspect DNS traffic to look for anomalies, and if you have older equipment that doesn’t know about the DNSSEC standard, these changes may very well look like anomalies, and be blocked. That would mean that your DNS clients or DNS server would not be able to communicate with the public root DNS servers, and that would mean that you would start having problems resolving DNS.

These problems may be intermittent in nature at first, because some DNS requests may be able to be resolved by using locally cached information…but DNS records typically have a “time to live” built into them, so eventually the cached information will expire and have to be refreshed. So if you do have a problem, it’s likely to get worse with time.

There are some tools available to help you determine whether you’re likely to have a problem. If you’re comfortable using a DNS query tool like dig (which is a command-line query that can be run from most unix or linux systems), you can find instructions on using it at If you don’t have access to a unix or linux host, or don’t feel comfortable using such a tool, you can download a Java utility from, and run it on any system with Java run-time installed (which includes most Windows systems). Just download and save the file, then double-click it.

Watchguard customers should note that if you have a Watchguard Firebox or XTM appliance with current firmware, you should not have any issues with these new DNSSEC packets.

Quick Tip For Your WatchGuard Service Renewal

As all IT professionals are aware, most hardware and software companies offer some type of support/maintenance renewal, WatchGuard Technologies is no different.

They offer a variety of subscription services with their WatchGuard XTM or Firebox X appliances. These services are either sold separately or as a bundle of services for one, two, or three year terms. Services available include:

  • SpamBlocker - with virus outbreak detection
  • WebBlocker - with HTTP and HTTPS inspection
  • Gateway AntiVirus - for signature-based protection from known threats
  • Intrusion Prevention Service - with comprehensive attack and spyware protection
  • LiveSecurity® Service - hardware replacement warranty, free software updates, 24/7 telephone support

For more information about what each service is please contact us here at

The main objective of this post is not about the services themselves but rather about the renewal process. Each WatchGuard system we sell comes bundled with LiveSecurity Service for the first year. Since customers who own multiple WatchGuard systems have often bought them at different times, and since it is possible to renew LiveSecurity for multiple years, it is often the case that a customer can have different WatchGuard units whose coverage expires at different times of the year. Some companies prefer to keep these renewals separate to spread out their renewal costs over the year while others prefer to have a single renewal date for all of their WatchGuard units.

When renewing a WatchGuard subscription, Moose Logic will place an order with WatchGuard and typically within 48 hours an email is sent to us as well as to the customer contact who was in charge of the renewal. That email will contain a license key for each renewal. The customer is responsible for logging in to their WatchGuard account and entering those license keys. This will result in the display of a feature key. At this point the customer needs to copy and paste that feature key into the actual WatchGuard unit, only then is the renewal complete - and the services the company has paid for will become available.

(Note that if you don’t have the time or skills to perform these tasks when you renew, Moose Logic will be happy to do it for you. Yes, we will bill you for our time - although if you are a MooseGuardTM Gold or Platinum customer, that work effort would be covered by your plan.)

Now there is a twist to this. If we change the date of the renewal (e.g., in order to synchronize renewal dates for multiple units) that change is implemented directly by WatchGuard, and NO LICENSE KEY WILL BE SENT TO YOU. Since no new license key is made available to the end user, no email is sent to remind you that you need to log into the WatchGuard online portal and retrieve the feature key to be copied and pasted on the physical unit.

So the important lessons of the day are:

  1. If you chose to synchronize your WatchGuard renewal dates it will take a little longer to get the renewal done (usually 4-5 business days) since someone at WatchGuard has to manually update your renewal dates, and
  2. It is important to mark your calendar so that you log in to your account after 4-5 days and see if the feature key is available.

If we’re handling the process for you (either because you’re a MooseGuard customer or because you’ve asked us to) it’s not an issue, because we know what the process is. But if you’re handling the renewal yourself…don’t just sit back and think that you’re done just because you’ve placed the renewal order. If the new feature key doesn’t get entered in your unit, the features you’re subscribing to are going to stop working - and that would be what we call, in technical terms, a “bad thing.”