By default dnsmasq uses lower port (source port) for it's communications. It should use source port above 1024 for security reasons.
It seems dnsmasq is using too wide range for outgoing udp ports. Because dnsmasq has privilege to listen on ports below 1024, it does also use these port for queries.
Some of low ports are dropped by BIND when they arrive, without ever giving them reply. That ports are: 7, 13, 19 and 37. Target port 464 would be dropped on reply.
Commit  fixes queries to start at unprivileged ports boundary. I think it should not use custom random port generator but let OS to assign random ports instead. Current released dnsmasq does not allow that.
Default range of system is get by sysctl. It might be wise to use range similar to that.
$ sysctl net.ipv4.ip_local_port_range
net.ipv4.ip_local_port_range = 32768 60999
Current default for min-port is port 0, which includes as port below net.ipv4.ip_unprivileged_port_start.
Posted question to dnsmasq mailing list with proposed patches to use random ports from operating system instead.
There is workaround for this issue. Use min-port in configuration with value at least value of net.ipv4.ip_unprivileged_port_start, that is 1024.
Just add min-port=1024 into /etc/dnsmasq.conf or any file in /etc/dnsmasq.d/*.conf.
*** Bug 1626248 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.