Usually, port 53 is used for DNS queries and transactions over both tcp and udp, while http GET request traffic is handled over tcp 80 or 8080 (or ssl encrypted over 443).
Instead, currently we have an unusual set of files, often named “qq_updates.cab” that are being renamed and run on a fairly high number of user systems (they are not cab files. They are malicious executables) and querying http servers hosted in China over tcp port 53 for gif files (1.gif, 2.gif, 3.gif, B.gif, c.gif, etc). These queries are not standard dns lookup requests as a network admin might expect, or standard http requests for image files.
The responses for these gif file requests are either location information and directions to download more spyware executables or are additional spyware executables themselves, designed to steal a user names and passwords from multiple gaming applications. Some of the writers are becoming more clever and using encoded data over that port as well. Prevalence is high, and network admins may want to monitor dns ports for unusual http traffic for .gif files carrying nothing but executable content.
They abuse a common error in firewall building, to allow tcp connections from the inside to the world.
There are two options for network-admins:
1. Start using an application layer firewall, instead of a packetfilter.
2. If you can not upgrade to an application layer firewall, make your rules tighter: For example, configure a dns server inside your network and only let that server talk to the outside on port 53, or even better, configure forwarding to 2 specific dns-servers from your ISP, and let them handle all the lookups and forward you the result.
BTW: resolving dns is only done over UDP, only synching zone-files you need tcp. So if you do not host a dns-server, you can close the tcp connections on port 53.