diff --git a/etc/namedb/named.conf b/etc/namedb/named.conf
index 865eee0f72b6..dd2d115db0be 100644
--- a/etc/namedb/named.conf
+++ b/etc/namedb/named.conf
@@ -46,13 +46,19 @@ options {
 	};
 */
 	/*
-	 * If there is a firewall between you and nameservers you want
-	 * to talk to, you might need to uncomment the query-source
-	 * directive below.  Previous versions of BIND always asked
-	 * questions using port 53, but BIND versions 8 and later
-	 * use a pseudo-random unprivileged UDP port by default.
-	 */
-	// query-source address * port 53;
+	   Modern versions of BIND use a random UDP port for each outgoing
+	   query by default in order to dramatically reduce the possibility
+	   of cache poisoning.  All users are strongly encouraged to utilize
+	   this feature, and to configure their firewalls to accommodate it.
+
+	   AS A LAST RESORT in order to get around a restrictive firewall
+	   policy you can try enabling the option below.  Use of this option
+	   will significantly reduce your ability to withstand cache poisoning
+	   attacks, and should be avoided if at all possible.
+
+	   Replace NNNNN in the example with a number between 49160 and 65530.
+	*/
+	// query-source address * port NNNNN;
 };
 
 // If you enable a local name server, don't forget to enter 127.0.0.1