Root server DNS traffic across Linux/ipchains firewall?

[Barry Margolin]

In article <199910212208.SAA00692 at fw1-b.osis.gov>,
Joseph S D Yao  <jsdy at cospo.osis.gov> wrote:
>I'm afraid that most V8++ BINDs will be addressing you FROM random
>ports [as many current network programs do] but always TO port 53.  You
>might be well advised not to block on source ports, but only on
>destination ports.

I think the only DNS traffic he's expecting TO his firewall is replies to
his queries, i.e. it's a caching-only server.  So they should all be FROM
port 53 and TO the port specified in the "query-source" option.  Except it
sounds like queries sent to the root servers are ignoring the query-source
port.

I'm finding this difficult to believe, unless it's a new bug.  Many sites
are successfully making use of "query-source * port 53" to emulate the
behavior of BIND 4 so that they'll be compatible with firewalls that were
configured with this in mind.  If root server queries weren't using port
53, all these sites would be dead in the water.

-- 
Barry Margolin, barmar at bbnplanet.com
GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.