Comment 1 for bug 1176046

I found the cause from a helpful thread at http://forums.debian.net/viewtopic.php?f=10&t=95273

The NSUPDATE dns functionality in dhclient automatically causes it to listen on two random UDP ports. This could pose a security issue since the client will accept packets on these ports.

The current fix is to modify the source code to disable the functionality as per the thread mentioned above. Doing so stops it from listening on the random ports.

I have filed a bug with ISC, bug number [ISC-Bugs #33377] asking for documentation about this feature (none exists currently about why the ports are opened) as well as a run-time configuration option with a default value to disable it.