Paul A wrote:
Correct me if I'm wrong but from my understanding doesn't the new BIND randomize outgoing source ports only? - If so then if you have your firewall to allow established connections you should be all set.
That's a good point, just tested it out on my firewall, removed the port 53 option from named.conf and restarted bind and can still query it internally and externally for it's authoritative domains.
Perhaps my firewall is just less strict than it used to be(migrated from freebsd to openbsd about a year ago). I don't recall what the ruleset used to look like. I do recall having to enable that option years ago else I couldn't query through the firewall.
Still I think caching name servers should be more protected whenever possible, as this "fix" isn't really a fix it just makes it a bit harder to determine what the id is.