So, why does libvirt set its rules up like this?
Since the default policy is ACCEPT, and all rules are ACCEPT, that means that all traffic coming into the host is accepted. So why bother allowing DNS and BOOTP (DHCP) traffic? Answer: because libvirt wants to ensure that, even if the INPUT chain has a different policy, all guests (traffic originating on the virbr0 interface) will receive DNS and DHCP service from the host.
Chain INPUT (policy ACCEPT 380 packets, 37990 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- virbr0 any anywhere anywhere udp dpt:domain
0 0 ACCEPT tcp -- virbr0 any anywhere anywhere tcp dpt:domain
0 0 ACCEPT udp -- virbr0 any anywhere anywhere udp dpt:bootps