I now have a definitive situation. When trying to resolve host names: 1.) From a server running BIND9 behind the firewall server - both local and internet queries work correctly 2.) From the firewall server running BIND9 - the local query works correctly but the internet query fails as follows. 2.1.) Running firewall in TEST mode I get dig @localhost local.host.name - success with status NOERROR dig @localhost internet.host.name - success with status NOERROR 2.2.) Running firewall in normal mode I get dig @localhost local.host.name - success with status NOERROR dig @localhost internet.host.name - failure with status REFUSED and the following DROP lines in /var/log/messages Feb 10 16:31:55 kimberly kernel: SuSE-FW-DROP IN=eth1 OUT= MAC=00:10:b5:10:31:9d:00:0a:42:6d:5c:70:08:00 SRC=194.117.152.85 DST=82.33.145.89 LEN=207 TOS=0x10 PREC=0x00 TTL=250 ID=46136 DF PROTO=UDP SPT=53 DPT=53 LEN=187 Feb 10 16:31:55 kimberly kernel: SuSE-FW-DROP IN=eth1 OUT= MAC=00:10:b5:10:31:9d:00:0a:42:6d:5c:70:08:00 SRC=194.117.152.85 DST=82.33.145.89 LEN=475 TOS=0x10 PREC=0x00 TTL=250 ID=46137 DF PROTO=UDP SPT=53 DPT=53 LEN=455 3.) Running the firewall in normal mode and setting FW_SERVICES_EXT_TCP="domain" dig @localhost local.host.name - success with status NOERROR dig @localhost internet.host.name - success with status NOERROR BUT port 53 on the firewall is open! My problem is this - how can I get the firewall to alow DNS queries from the firewall machine to the internet without opening port 53? I have had this configuation working before in version 7.0, 8,1 and 8.2 - but I just can't get it to work this way in 9.0 for some reason.