ISA has been alerting me with port scan attacks originating from my DNS servers. I contacted my provider and emailed them the IP log from ISA, here is their reply: "Those are the replies to your DNS queries, sent to the UDP port that was the source port for your query. From RFC 2181: 4.2. Port Number Selection Replies to all queries must be directed to the port from which they were sent. When queries are received via TCP this is an inherent part of the transport protocol. For queries received by UDP the server must take note of the source port and use that as the destination port in the response. Replies should always be sent from the port to which they were directed. Except in extraordinary circumstances, this will be the well known port assigned for DNS queries" I'm looking for the reason why these DNS queries to my ISP are going out on ports like 2400 and up? Here is an example of my log: #Fields: date time source-ip destination-ip protocol Source Port Dest Port 11/28/2001 16:21:10 208.161.110.79 198.107.60.138 Udp 53 24161 Any takers? John