Use of TCP port 53 for queries?

[Jim Ault]

After reviewing the BIND V9 documentation, and a month's worth of
bind-users and bind9-users list archives, I found only this reference in
Chapter 6:

"Note: query-source currently applies only to UDP queries; TCP queries
always use a wildcard IP address and a random unprivileged port."
	
My question is:  Under what circumstances does a client initiate a UDP
resolver query, and under what circumstances does a client initiate a TCP
resolver query?

Background:  We have an internal DNS server that uses two external DNS
servers as forwarding servers for external DNS lookups.  We run BIND
9.1.0 on solaris 2.7 (on all our DNS servers), and have already
configured all of our BIND servers to add the line

query-source address * port 53;

so all our queries should be coming through our firewall on port 53.

Our firewall and network engineer is seeing lots of dropped packets on
random TCP high ports.  The suspicion is that ALL tcp packets on port 53
are zone transfers, but the sentence above seems to indicate that
sometimes TCP is used for ordinary resolver queries, but I'm not sure when.
Our config files certainly don't indicate zone transfers in this case. 

If something comes in on TCP port 53 is it ALWAYS guaranteed to be a zone
transfer?  I don't think so, but I can't find documentation to make the
case clear.
	
If a client of the internal DNS server generates a TCP resolver query on
a random high port, does BIND v9.1.0 keep the high port when it forwards
the query to the external DNS forwarder host?

Thanks in advance for any help.

Jim Ault, Unix Support, GE CRD, Schenectady aultj at crd.ge.com <><