On Wed, 23 Jul 2008 12:40:42 -0400, John Hinton wrote > I'm running caching nameservers on almost all of my systems and then > also three nameservers. All are available publicly. I too had hard > coded bind to port 53. I also had specifically opened port 53 > through the firewall. But now, it appears that using only port 53 is > a bad thing. From what I read, both the port and the ID need to > change to be secure > (even this is just security through obscurity). It's sounding like > I'll need to open a port range, but I don't know what a 'good > practice' will be. Port 53 is the dns port used by the world (and your internal private networks) to query your name server. If your name server is intended to provide domain resolution publicly just how do you expect the public to find it if you're randomly changing ports? The world won't port scan your machine until it finds a name server answering on one of them. Dns requests, internal or external, will come into your box on port 53 and there would be no point to running a name server (private, public, caching or otherwise) if this port is not open through the firewall. You've mis-understood the issues of dns security. It would be dangerous to start messing with your firewall rules until you understand exactly how the process works.