Usually, port 53 is used for DNS queries and transactions over both tcp and udp, while http GET request traffic is handled over tcp 80 or 8080 (or ssl encrypted over 443).
Instead, currently we have an unusual set of files, often named “qq_updates.cab” that are being renamed and run on a fairly high number of user systems (they are not cab files. They are malicious executables) and querying http servers hosted in China over tcp port 53 for gif files (1.gif, 2.gif, 3.gif, B.gif, c.gif, etc). These queries are not standard dns lookup requests as a network admin might expect, or standard http requests for image files.
The responses for these gif file requests are either location information and directions to download more spyware executables or are additional spyware executables themselves, designed to steal a user names and passwords from multiple gaming applications. Some of the writers are becoming more clever and using encoded data over that port as well. Prevalence is high, and network admins may want to monitor dns ports for unusual http traffic for .gif files carrying nothing but executable content.