On Fri, Apr 26, 2002 at 03:20:39PM -0400, Steven M. Bellovin wrote:
> I'm not sure about bind 8, but with bind 9, the query port is *not* 53. 
> I use the following on my laptop:
> 
> options {
>         directory "/etc/namedb";
>         listen-on { 127.0.0.1; 172.16.212.1; };
>         query-source port 60000;
>         allow-query { 127.0.0.1; 172.16.212.0/24; };
> };

named.conf(5) on 1.5.3_ALPHA (BIND 8.2.3):

Query Address

If the server doesn't know the answer to a question, it will query other
nameservers.  query-source specifies the address and port used for such
queries.  If address is * or is omitted, a wildcard IP address (
INADDR_ANY) will be used.  If port is * or is omitted, a random unprivi-
leged port will be used.  The default is query-source address * port *;

Note: query-source currently applies only to UDP queries; TCP queries al-
ways use a wildcard IP address and a random unprivileged port.


Wouldn't one be better off just using the randomly-selected source port
and ipf's stateful filtering?