I created a rule in CSA 6.0 that, by default, blocks any application on any machine being connected as a server. On a DC we made an exception for the server to be connected on UDP 53 for DNS. However, we are seeing the following messages below. The port ranges from, so far, 30,000-65,000. It seems odd that dns.exe would be accepting a connection as a server on all of those ports. Has anyone seen this before or had this happen to them or is this normal? Also, it is running OpenDNS.
Audit: The process 'C:\WINDOWS\system32\dns.exe' (as user NT AUTHORITY\SYSTEM) attempted to accept a connection as a server on UDP port 61660 from 18.104.22.168 using interface Wired\HP NC7761 Gigabit Server Adapter. The operation would have been denied.