A conclusion to this mystery can’t be reached until we know what was inside the packets. If the logs are BIND format and the IP addresses in parenthesis is the destination of the query, then I find that communication highly unusual given that the destination server doesn’t appear to have been a DNS server. I actually think the Spectrum IP address is more suspicious than the Alfa IP address because the Spectrum machine also wasn’t a DNS server. A Google search will show it was used to post in various forums and access websites. Additionally, the Spectrum IP address was seen as a source in Wikipedia article edits. That most likely means it was a shared address and wasn’t necessarily a dedicated server. My speculation is it was either a NAT address for part of the corporate network or a NAT address for a visitor network.