Ok..I pretty sure now that this is just snort reporting when the dns-server sends back the data from the lookup. The dns-server just happens to send it to some port that snort is looking for traffic on. But wont this make it very easy to hide your attempts to connect to a backdoor ( or something ), you spoof yourself as 10.0.0.1 and the person reading the logs will just ignore that since they know that it's just the dns-server?
// peter