On 7/9/08, Stuart Henderson <[EMAIL PROTECTED]> wrote: > mcbride@ pointed out that you can give named some more protection > by natting outbound udp traffic destined for port 53 (even just on > the box running the resolver, it doesn't have to be on a firewall > in front). something like, > > nat on egress proto udp from (self) to any port 53 -> (self)
I don't think this actually accomplishes much. It still lets poisoned replies back in on the previous port number.