public IP port exposed which is closed by NAT on router

UDP doesn't have connections. It's a datagram service.

Ports in the UDP port 3200 to 3299 range are expected to be registered (list), but "squatting" on or even spoofing ports is possible, depending on what software is connected on the port.

Usual trigger for these paths through the firewall is some device behind the firewall that's been communicating remotely via that port.

You may have to more specifically identify the device on your local network, and determine what component is communicating with remote hosts on 32xx. Depending on the host, there are various ways to do that.

It's possible to exercise substantial control of network activites with mid-grade firewalls; something with a bit more capability and flexibility than an AirPort Extreme NAT-based firewall.

If you have untrusted devices connected on your local network, you might want a firewall that can provide multiple networks; a guest or DMZ network, for instance.

How to block an outbound UDP port? Get a more advanced firewall. Alas, the AirPort is fairly limited in its capabilities. (The only way I'm aware that an AirPort-class device can block a UDP port established by outbound NAT traffic is by adding a static forwarding rule that sends UDP port requests off into hyperspace; to what will need to be an unused port. You might also want to disable NAT Port Mapping Protocol or NAT-PMP, if that's been enabled.)

Or determine what's running on the iOS device, as you've mentioned you're researching.

Command line tools that can scan a target host for an open UDP port, or a range of UDP ports:

nc -zu 10.20.30.40 3200

nc -zu 10.20.30.40 3200-3299

nc -vvzu 10.20.30.40 3200-3299

Using netcat probably won't directly help you very much, though you might be able to brute-force cycle through applications to see what's in use, rebooting your phone as a way to avoid having to wait for any background apps to exit.

Yes; that thread is the hyperspace reference. Port mapping the connection into oblivion.

I usually use ZyXEL ZyWALL USG series devices, but those are definitely not entry-level devices suited for inexperienced network users; the UI is cogent and consistent, but the administrator is expected to already understand IP networking, DNS and related details.

Will take a look at nc; haven't run into that case. (I usually monitor this stuff at the level of the switch.)

Either run DNS services for the DMZ at the ZyXEL ZyWALL USG using its integrated DNS server, or run DNS services on the OS X Server box.

Here's how to set up OS X Server DNS.

If you configure the USG for DNS, then aim the DNS server reference on the server at the USG.

I wouldn't run both the USG DNS server and the OS X Server DNS server here, though that's just extra work and duplicated effort and won't hurt anything.

If you do run DNS services in your DMZ, do not allow remote access into your DNS server through your USG. Do not map TCP or UDP port 53 through from the Internet.