# Error on starting named (bind916)



## kerogaz (Apr 23, 2022)

When I start named I get an error

```
/usr/local/etc/namedb/named.conf:76: 'query-source' cannot specify the DNS listener port (53)
/etc/rc.d/named: ERROR: named-checkconf for /usr/local/etc/namedb/named.conf failed
```

Named starts and works fine if line 76 is commented out in named.conf

Line 76 :  
	
	



```
query-source address (ip dns server) port 53;
```


----------



## kerogaz (Apr 25, 2022)

Maybe someone will explain why this line  76 of named.conf  is used at all if named does not work with it, but named works without it? Bind911 didn't have this problem.


----------



## SirDice (Apr 25, 2022)

kerogaz said:


> Maybe someone will explain why this line 76 of named.conf is used at all


It's not used, it's commented out in the default named.conf.


----------



## borjam (Apr 25, 2022)

Never use a single port as the source port for DNS queries.






						Web-based DNS Randomness Test | DNS-OARC
					






					www.dns-oarc.net
				




At most do specify a source address as the query source, not a port number.


----------



## SirDice (Apr 25, 2022)

There's a big fat warning surrounding the commented option:

```
/*
           Modern versions of BIND use a random UDP port for each outgoing
           query by default in order to dramatically reduce the possibility
           of cache poisoning.  All users are strongly encouraged to utilize
           this feature, and to configure their firewalls to accommodate it.

           AS A LAST RESORT in order to get around a restrictive firewall
           policy you can try enabling the option below.  Use of this option
           will significantly reduce your ability to withstand cache poisoning
           attacks, and should be avoided if at all possible.

           Replace NNNNN in the example with a number between 49160 and 65530.
        */
        // query-source address * port NNNNN;
```


----------

