Strongly discourage the use of the query-source option, and explain why.

Give a better example if a user absolutely must use this option, and
suggest they pick something from the ephemeral port range rather than
port 53. This means that the example will not work if it is merely
uncommented, but this will hopefully encourage users to read the comment.

etc/namedb/named.conf

@@ -46,13 +46,19 @@ options {
 	};
 */
 	/*
-	 * If there is a firewall between you and nameservers you want
+	   Modern versions of BIND use a random UDP port for each outgoing
-	 * to talk to, you might need to uncomment the query-source
+	   query by default in order to dramatically reduce the possibility
-	 * directive below.  Previous versions of BIND always asked
+	   of cache poisoning.  All users are strongly encouraged to utilize
-	 * questions using port 53, but BIND versions 8 and later
+	   this feature, and to configure their firewalls to accommodate it.
-	 * use a pseudo-random unprivileged UDP port by default.
+
-	 */
+	   AS A LAST RESORT in order to get around a restrictive firewall
-	// query-source address * port 53;
+	   policy you can try enabling the option below.  Use of this option
+	   will significantly reduce your ability to withstand cache poisoning
+	   attacks, and should be avoided if at all possible.
+
+	   Replace NNNNN in the example with a number between 49160 and 65530.
+	*/
+	// query-source address * port NNNNN;
 };
 
 // If you enable a local name server, don't forget to enter 127.0.0.1