Small network of about 40 machines with a new SBS2011 server. I was about to ween our server off pop3 when I noticed in our firewall logs about 30-40 DNS (port 53) entries from external IPs happening every second on our wan side. We have outward wan interfaces with static IPs leading to seperate networks. The second has just one box in it. I am seeing these queries on both interfaces. The first step I took was to physically disconnect from the internet, actively scan all the machines that were up (all clean) and flush the sbs DNS cache in case it was poisoned. I reconnected just the router (it is utm appliance with idp) and checked the logs, same thing. I called our ISP and the tech said they hadn't received any alerts for DNS issues, thought my situation was unusual and suggested I add a second firewall. I am not seeing any unusual traffic outbound and I limit outbound traffic to necessary services only.
I could place a multihomed box just inside running wireshark but I wanted to run this by the community for any ideas or anything I have missed.