Why are root servers hitting my firewall?

[Mathias Körber]

> My firewall logs indicate that some of the root name servers are
> hitting its external interface and being denied. They're hitting high
> numbered ports.  There are no DNS servers on my network that would be
> of use to anyone on the internet, they are all authoritative only for
> zones within my private organization.

Maybe someone in your net is running a caching only server on his machine
w/o going through your official local nameservers?
The high destination ports would indicate that. Can't you determine the destination
IP address and then check the machine they are trying to reach?