Strongly discourage the use of the query-source option, and explain why.

Give a better example if a user absolutely must use this option, and
suggest they pick something from the ephemeral port range rather than
port 53. This means that the example will not work if it is merely
uncommented, but this will hopefully encourage users to read the comment.

etc/namedb/named.conf

@@ -46,13 +46,19 @@ options {
 	};
 */
 	/*
-	 * If there is a firewall between you and nameservers you want
-	 * to talk to, you might need to uncomment the query-source
-	 * directive below.  Previous versions of BIND always asked
-	 * questions using port 53, but BIND versions 8 and later
-	 * use a pseudo-random unprivileged UDP port by default.
-	 */
-	// query-source address * port 53;
+	   Modern versions of BIND use a random UDP port for each outgoing
+	   query by default in order to dramatically reduce the possibility
+	   of cache poisoning.  All users are strongly encouraged to utilize
+	   this feature, and to configure their firewalls to accommodate it.
+
+	   AS A LAST RESORT in order to get around a restrictive firewall
+	   policy you can try enabling the option below.  Use of this option
+	   will significantly reduce your ability to withstand cache poisoning
+	   attacks, and should be avoided if at all possible.
+
+	   Replace NNNNN in the example with a number between 49160 and 65530.
+	*/
+	// query-source address * port NNNNN;
 };
 
 // If you enable a local name server, don't forget to enter 127.0.0.1