Symptom:Can it be dangerous to run old DNS Server software?
Problem:The DNS protocol is a very stable protocol, and the DNS working groups in the IETF are very sensitive not to "play around" with the protocol. However from time to time changes to the protocol are needed. Examples are the change of the 7th field in the SOA record (RFC 2308, March 1998) and how the SOA record is used in negative answers, and the Clarifications to the DNS Specification (RFC 2181) or the rollout of DNSSEC recently.
Changes to the DNS protocol are usually in slow pace over multiple years, that will give operators of DNS Servers and vendors time to update to new DNS server software that will be able to make use of this changes.
However if old DNS server software is not upgraded at all, this software can become dangerous fro both the network of the operator of the DNS service as well as for other Internet citizens.
Issues with old DNS server software include security vulnerabilities, old implementation of the DNS specifications which do not work well with modern DNS servers out in the Internet and lack of modern features (like EDNS0 or DNSSEC).
We know that some DNS providers in the Internet fingerprint for old DNS Server software (such as the old QuickDNS running on MacOS 9) and block all communication. This results in loss of service for the old DNS Server and its client machines.
SolutionIf you have any of the following name server types running in a public network, you should upgrade as soon as possible to a modern DNS Server:
- Men & Mice QuickDNS 1.0 - 3.5 on MacOS Classic (MacOS 9)
- BIND 4
- BIND 8
- BIND 9.0.0 - < BIND 9.4-ESV-R2