Private Public DNS question

Barry Margolin barmar at
Wed Mar 22 23:42:09 UTC 2000

In article <B5C5D2CDB8BCD2118E4800A0C9D8E4C7B2A9DA at>,
 <vladimirs at> wrote:
>Certain commercial sites ( and do not like replying to
>low port # DNS queries.  The symptom is that most external DNS queries work
>except for these sites.  The issue is caused by FW-1 NATing the DNS query
>(which defaults from port 53) to a low port address.  Apple and WorldCom DNS
>servers do not like this and the queries time out.  
>The problem can be resolved by setting DNS' "Query Source Address" from the
>default port of 53 to a high port, like 1053.  This setting is located under
>DNS properties, Configuration (I am using Meta IP product from Checkpoint
>Software Technologies). When the query hits the FW-1, it gets NATed to a
>higher port address.  This works wonderfully with apple, wcom and everyone

This seems very strange.  The purpose of "query-source port 53" is to make
BIND 8 act like BIND 4 did.  If what you're saying is true, sites that are
still using BIND 4 nameservers (if not the majority, certainly a large
number) would not be able to look up names in those domains.  I think this
is extremely unlikely, especially for a high-visibility site like

Barry Margolin, barmar at
GTE Internetworking, Powered by BBN, Burlington, MA
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

More information about the bind-users mailing list