Port 53 flood on IPS

[Ciprian]

I will ... allow only traffic from the ISP DNS servers

Why would you do that?

1. Since you lack an authoritative public DNS server, you don't need to publish one/ any DNS service outside.
2. In a stateful router world, you only care about FW rules matching requests, you may ignore replies completely because the firewall will dynamically "open" ports for those and only for those packets matching an open/ active state/ connection.

Getting together 1. & 2., I strongly advise you to close that explicitly open port on WAN ASAP! (!) (And any other port, for that matter, not being used for a NAT associated FW rule, or for a published service in a public IP range perimeter.)

Man I get a lot of hits on that port. probably about 1000 an hour. And this is not even a well used IP, just a testing server I turn on when I need to test stuff. Glad IPS is blocking it.

Most likely you've got to be heavily hit on 53 just because it is (was) open, and not at all because you are flooded, nor considered of a very high interest target: bots are crawling continuously, day and night, non stop, blindly poking IPs (and ports on each IP) as much as possible. When they do find an open port on a particular IP, that IP & port is recorded in a log. From that moment on, the record might be either passed to a more "specialized" bot, one trying only exploits for that particular port, repeatedly and heavily on that particular IP address, or, maybe a human black hat is collecting the record from the log and tries different attack techniques, tools and exploits on that IP & port.

Either way, from a particular moment on, you struggle to understand what particular change you've made triggered that constant bombardment, but it's not a change, it's a non-change... ;) It's a for enough long time open 'hole' being discovered.

Close that (those) freakin' port(s) already, would you?! :)

[dcol]

What I ended up doing was allow port 53 through IPS and then used a floating firewall rule to block them. That way I don't flood the logs. I used pftop to identify the traffic and saw that it was outbound traffic to port 53 as well as inbound, which is a normal transaction for DNS queries.
Here is a pic of what I saw. the 68.105 IP's are the legitimate DNS from the ISP. The 208.76 is not.
Also here is the floating rule I used for DNS

[Ciprian]

From your first image I only see legitimate traffic:

1. Absolutely all IN traffic is from your internal clients - no need for 53 UDP to be open/ NATed.
2. Absolutely all OUT traffic is from OPNsense to forwarders. - no need for 53 UDP to be open/ NATed.
3. You have to figure it out why there is a DNS resolving request toward 208.76... (maybe an internal client with manual DNS settings different than OPNsense's IP address, maybe a host/ domain override?!?!...)

If there is nothing left out in your DNS config, I maintain my opinion: you should keep the port 53 closed (not-published) on WAN/ NAT.