Coincidentally I've been involved in a conversation around running two Xboxen on the same network and a fully uPnP compliant 'hub' being the only way to make them play nicely together with regard to external ports. So I'm guessing there's some voodoo involved. Consequently I've started learning how uPnP really works.
I always disable uPnP on any device I get my hands on. And the only externally available ports on the WAN side of my firewall are for OpenVPN.
In light of the original issue, I've configured the internal DNS server to NXDOMAIN and log and requests for dynect.net. There have been none recorded so far. I'm still none the wiser. I suspect there's a device or an app which has some hard-coded DNS servers and perhaps the requests are not exploitive. I'm thinking of tweaking the firewall to block any traffic on port 53 that doesn't come from the internal DNS server.
In other news, OpenDNS's Umbrella is quite awesome. Their offerings to home users are confusing/baffling and the marketing BS on their website conflates matters. They have two offerings for home users. The first VIP home, which seems to have restrictive reporting, in that it won't tell you when a request was made. And then there's Prosumer which has the full reporting, but doesn't offer a 'full network option'. Instead it's five devices per user, with each device running an app to manage/tunnel DNS requests. Both options seem suitably castrated and the business offerings look prohibitively expensive so they won't be seeing any of my ££.