It's been a few years since I have touched AOS, but when I had seen symptoms like that in the past, it was because the IPBG was proxying DNS requests from somewhere else (typically a DoS attack). Try disabling DNS proxy:
Thanks for the input!
It wasn't trying to resolve random/evil names like a compromised system would do. The thing was trying to resolve the small handful of internal names that that it needs for our internal SIP system. I say "trying" because the response packets were being dropped on their way back to the box.
If it fails to resolve a name of a SIP server that it needs, what could make it retry hundreds of times per second? Seriously, I logged three queries in the same millisecond. Good for load testing, bad for my pacemaker.
It was rebooted, it selected a different source port for DNS queries, and everything was fine.
The number 9999 is probably meaningful, maybe as a magic number or as the last port available before you hit 10,000.