Basically, we're using a thing called a reverse proxy. In order for the subdomain to work with Dynmap's webserver (since I'm bypassing our messy Apache/Nginx combo), when a request is received on the subdomain it is rerouted to the 25596 url, which gives the nice cosmetic URL and HTTPS. This means both URLs are exactly the same, but the build.escres one is meant to be the public facing one. If we need to change ports for example, it means we can do so without having to issue a new URL to users. It gives us a bit of abstraction.
Apart from that background info, I've closed off access to :25596. Keeping as many ports closed as possible is always a bonus for security. Thanks!