[9.718] odd DNS traffic to CloudFlare

Question

Hi, we've got UTM 9.718 running in AWS... lately, we're seeing AWS Guard Duty events for outbound DNS, to 
 162.159.27.50 
 Which is registered to CloudFlare. 
 
 In Network Services, DNS, Forwarders, we are only using Google's DNS servers (8.8.8.8 & 8.8.4.4). 
 There is no firewall rule to allow outbound DNS from the internal networks. 
 
 I have no idea what is generating the traffic to 162.159.27.50. That IP does not appear in any of the firewall's logs. 
 We do not have Sandstorm or ATP enabled, so I can't think of what else might use it. Any ideas? 
 Thanks, 
 Barry

RichBaldry · Answer

It looks like this address is an authoritative nameserver, presumably for domains/zones registered by cloudflare. It doesn't appear to be one of Cloudflare's public resolvers (like 1.1.1.1). 
 The BIND DNS service on UTM will fall back to recursive resolution under some circumstances if it is unable to get an answer from the configured forwarder resolvers. Recursive resolution is when the nameserver does a full set of queries, starting with the root servers, to determine which is the official authoritative server for the requested domain and to ask that server for the answer to the original query. 
 Traffic initiated by the DNS service on the UTM is not subject to firewall rules that apply to traffic from the internal networks. 
 If you want to investigate further what DNS requests are triggering these queries, you could try connecting to your UTM via SSH and run tcpdump - it will show you details of the queries that are being made. 
 # tcpdump host 162.159.27.50 and udp port 53