You are investigating suspicious communication between two devices in your environment. The source socket is 22.214.171.124:5696 and the destination socket is 192.168.5.3:53.
What service should you suspect is under attack?
You should suspect a DNS attack, mist likely an at attempt at an unauthored zone transfer. The destination port is port 53. Unless there is a non-default service running on that port, that port is used for DNS.
You should not suspect DHCP. By default, DHCP uses ports 67 and 68, not 53.
You should not suspect HTTP. By default, HTTP uses port 80.
You should not suspect NTP. By default, NTP uses port 123.