Why are root servers hitting my firewall?

[Cricket Liu]

> My firewall logs indicate that some of the root name servers are
> hitting its external interface and being denied. They're hitting high
> numbered ports.  There are no DNS servers on my network that would be
> of use to anyone on the internet, they are all authoritative only for
> zones within my private organization.
> 
> While there's probably no harm, I'd be interested to know what's going
> on.

They're probably replying to queries sent from your internal name servers'
high-numbered ports.

cricket