Openwrt isc-dhcpd-4.2.4

Every time the dhcp service starts, it listens not only on 0.0.0.0:67 but also on 0.0.0.0:PORT where PORT is a random number.

Anyone knows where this behaviour comes from?

root@OpenWrt:/# netstat -ntapue
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 10.0.16.1:22            0.0.0.0:*               LISTEN      898/sshd
netstat: /proc/net/tcp6: No such file or directory
udp        0      0 10.0.16.1:514           0.0.0.0:*                           922/syslog-ng
udp        0      0 0.0.0.0:60738           0.0.0.0:*                           1290/dhcpd
udp        0      0 0.0.0.0:67              0.0.0.0:*                           1290/dhcpd
udp        0      0 10.0.16.1:69            0.0.0.0:*                           974/tftpd-hpa
netstat: /proc/net/udp6: No such file or directory

My config is:

# dhcpd.conf

ddns-updates off;

authoritative;

# don't let clients modify their own A records
ignore client-updates;

default-lease-time 3600;
max-lease-time 86400;

option domain-name "lan";

option domain-name-servers 212.24.188.130, 212.24.188.131;

subnet 10.0.16.0 netmask 255.255.255.0 {
        host marvin
        { hardware ethernet 48:5D:11:2F:22:31;
        fixed-address 10.0.16.202; }
      range 10.0.16.207 10.0.16.209;
      option subnet-mask 255.255.255.0;
      option broadcast-address 10.0.16.255;
      option routers 10.0.16.1;
      deny unknown-clients;

      next-server 10.0.16.1;
      filename "pxelinux.0";
}

Search in google returns that it's a kind of a bug:

https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1176046

On the launchpad there is also a link to the proposed solution (building package from source with extra options for ./configure script):

http://forums.debian.net/viewtopic.php?f=10&t=95273

I have checked release notes for latest stable (4.2.5-P1) and development (4.2.6b1 and 4.3.0b1) versions of ISC DHCPD and this bug does not seem to be fixed there.

For OpenWRT to rebuild the package from source with custom options, you need to build your own opkg package using cross-compiler for your router's architecture, or even rebuild the whole OpenWRT image: http://wiki.openwrt.org/doc/devel/packages

So to solve the security issue I would suggest you to just block all ports except needed (22, 67, 69, 514) with your firewall.