query-source address * port 53
Jim Reid
jim at rfc1035.com
Tue Feb 20 19:45:46 UTC 2001
>>>>> "Joe" == Borgia Joe A Contr AFRL/IFOS <Joe.Borgia at rl.af.mil> writes:
Joe> I haven't been able to find an "easy to understand"
Joe> explanation of this option anywhere. When I don't have it
Joe> enabled, things *seem* to not work properly for external
Joe> resolution. When I do have it enabled, things *seem* to work
Joe> properly again.
Joe> My understanding of this option is that it pins down DNS
Joe> queries, both requests and responses, so that they only flow
Joe> through that port.
Close enough.
Joe> This was never an issue with BIND 4.
True. By default, BIND4 always used port 53 as the source port for the
queries it made. In BIND8 and 9 a random, unprivileged port is chosen
for those outgoing queries. This upsets firewalls that expect the old
BIND4 behaviour. What you should do is configure BIND to use a fixed,
unprivileged port for its outgoing queries and let the firewall pass
that traffic in and out.
More information about the bind-users
mailing list