On Wed, 29 Dec 1999, Rene Hexel wrote:

>   AFAIK, you can configure bind8 to use some other port than 53 (which
> may be blocked by your ISP) for _outgoing_ requests.  It will then still
> listen on port 53 for incoming requests (acting as a DNS for those).

I believe it now does this by default.

You can also convince BIND to listen on particular interfaces for
requests, rather than all interfaces. In this case, you'd want it
listening on all ports except the outside interface toward your ISP. They
will then not see a DNS server runnining, and will have no way of knowing
that the requests coming out of your machine are from a server doing
lookups, rather than a client. (Well, they might clue in when they see
you going to nameservers other than theirs, but you could always set up
your server so that it only forwards requests to their name servers.)

As for them `blocking all ports commonly used by hackers,' well, that
would be every port out there. I wouldn't trust these guys as far as
I can throw them. There's absolutely no reason you shouldn't have your
own firwall, and if you're using NAT, they cannot prove that you have
multiple machines behind that router. Just tell them you don't.

cjs
-- 
Curt Sampson  <cjs@cynic.net>   917 532 4208   De gustibus, aut bene aut nihil.
The most widely ported operating system in the world: http://www.netbsd.org