DNS Queries from port 53 blocked?

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

I am trying to debug a DNS issue we're having with a few domains, and I have run across some strange behavior. If I directly query their DNS using dig, I get a response. If, however, I let my DNS server ask (using a source port of 53), the query seems to drop into a black hole.

The "good" queries, generated by 'dig mx mwmg.com @<theirIP>

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 16:22:35.929965 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.4.32774 > 98.124.193.1.53: 64781+ MX? mwmg.com. (26) 16:22:35.978142 IP (tos 0x0, ttl 119, id 26954, offset 0, flags [none], proto: UDP (17), length: 323) 98.124.193.1.53 > 199.79.203.4.32774: 64781*- 2/5/5 mwmg.com. MX[|domain] 16:22:35.981553 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.4.32774 > 98.124.197.1.53: 24533+ MX? mwmg.com. (26) 16:22:36.037816 IP (tos 0x0, ttl 119, id 27090, offset 0, flags [none], proto: UDP (17), length: 323) 98.124.197.1.53 > 199.79.203.4.32774: 24533*- 2/5/5 mwmg.com. MX[|domain] 16:22:36.041330 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.4.32774 > 98.124.192.1.53: 28663+ MX? mwmg.com. (26) 16:22:36.088247 IP (tos 0x0, ttl 119, id 26125, offset 0, flags [none], proto: UDP (17), length: 323) 98.124.192.1.53 > 199.79.203.4.32774: 28663*- 2/5/5 mwmg.com. MX[|domain] 16:22:36.091515 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.4.32774 > 98.124.196.1.53: 29634+ MX? mwmg.com. (26) 16:22:36.147736 IP (tos 0x0, ttl 119, id 10602, offset 0, flags [none], proto: UDP (17), length: 323) 98.124.196.1.53 > 199.79.203.4.32774: 29634*- 2/5/5 mwmg.com. MX[|domain]

The "bad" queries, when I let my DNS server do the asking for me:

16:23:13.273239 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 65) 199.79.203.10.53 > 98.124.193.1.53: 23036 [1au] MX? mwmg.com. (37) 16:23:15.277325 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 65) 199.79.203.10.53 > 98.124.196.1.53: 64536 [1au] MX? mwmg.com. (37) 16:23:17.281891 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 65) 199.79.203.10.53 > 98.124.192.1.53: 34458 [1au] MX? mwmg.com. (37) 16:23:19.286253 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.10.53 > 98.124.197.1.53: 35884 MX? mwmg.com. (26) 16:23:21.286655 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.10.53 > 98.124.193.1.53: 65460 MX? mwmg.com. (26) 16:23:23.291087 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.10.53 > 98.124.196.1.53: 59086 MX? mwmg.com. (26) 16:23:25.295724 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.10.53 > 98.124.192.1.53: 5122 MX? mwmg.com. (26) 16:23:27.300226 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.10.53 > 98.124.197.1.53: 53089 MX? mwmg.com. (26) 16:23:29.304645 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.10.53 > 98.124.193.1.53: 12885 MX? mwmg.com. (26) 16:23:37.306880 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 54) 199.79.203.10.53 > 98.124.196.1.53: 21131 MX? mwmg.com. (26)

So...have folks started dropping traffic originating from port 53?!?

How did I miss this memo, or am I missing something obvious in the above?

- -- Charles Steinkuehler [email protected]