It turns out the two random open ports are related to the dynamic DNS feature (NSUPDATE).

I modified the source code as per instructions at (http://forums.debian.net/viewtopic.php?f=10&t=95273) (forums.debian.net, dhclient UDP ports, 2013-02-01), recompiled, and reran with the random ports disappearing.

Bug Report: Add into the documentation for dhclient that it has the NSUPDATE functionality which causes it to listen on the IPv4 and IPv6 ANY_ADDR interface on random UDP ports.

Additionally their should be a run-time configuration option that enables that behavior with it disabled by default. A recompile should not be required to disable the ports.

On Thu, May 2, 2013 at 4:57 PM, Rodney D Beede via RT <dhcp-bugs@isc.org> wrote:

Also seen on Debian.

http://forums.debian.net/viewtopic.php?f=10&t=95273

-------------------------------------------------------------------------
> When I run dhclient it listens on the expected port 68. However, in
> addition to that port it also listens on a high number random IPv4 port and
> IPv6 port (even if I specify -4 as an option).
>
> Reading through the source code would make me think this is related to
> OMAPI somehow?
>
> I tried this on Ubuntu Server 13.04 64-bit which came with dhclient version
> 4.2.4. I also downloaded, compiled, and tried the latest version
> isc-dhclient-4.2.5-P1. I get the same result.
>
> I believe this is a bug. Either it shouldn't be listening on these ports
> or it should be documented what they are used for.
>
> Screenshots attached.[image: Inline image 1]
>
> [image: Inline image 2]
>
>