> But it turned out that when our DNS Server has to query a root name > server, it sends out a UDP query with a random higher (>1023) source > port number, which means that I will have to open >1023 Ports access to > this server from outside.
You don't have to open ports on your firewall that correspond with the source port number of your outgoing traffic. You can make any DNS queries without opening ports; you only need to open ports to OFFER service, not to request it. And even then, it is only going to be UDP (and possibly TCP) port 53. --Daniel
