* Stuart Henderson <[EMAIL PROTECTED]> [080709 07:15]: > mcbride@ pointed out that you can give named some more protection > by natting outbound udp traffic destined for port 53 (even just on > the box running the resolver, it doesn't have to be on a firewall > in front). something like, > > nat on egress proto udp from (self) to any port 53 -> (self) > > there - if you need to tell people you're doing something > while you wait for a better solution, you have an option. > check this with tcpdump and requests from multiple NS, the > doxpara.com checker will not notice this as an improvement.
It doesn't notice this as an improvement because it is making multiple requests to the same name server, and pf will map all these requests using the same outgoing port. David
