Bind recursive queries quota.

[Robert Buckley <rbuckley () synapsemail com>]

Howdy,
        Does anyone have any information about exploiting binds recursive
queries [num] limitation.
One of our clients decided to do a very intensive WebTrends report, which (
I assume ) had an option to do 
dns lookups. We use a Cisco pix on the border, with 2 external and 2
internal bind 9 systems. 

The Cisco pix contains a feature called a DNS-GUARD that will prevent the
same query being answered twice.
Another words, the 1st guy to come back with the answer to a query is let
in, anyone else is denied.

Our firewall logs showed inbound denials from our two externals had
increased 196.x times more than normal.
AVG 400 or so to about 60 thousands plus. An investigation showed that one
single client ( The Web Trends Guy) was slamming our internal servers with
queries.
Our logging on our dns servers showed.  Client Recusive Queries Quota
Reached.

According to some research we've done, a bind server will stop answering
queries if it has the default value of 100 unanswered queries in memory.
Of course this value can be increased via an option. It seemed to me that
this type of abuse from the webtrends app, nearly caused a denial of service
on our dns. 

IMO, it would be trivial to write something to to ask 100 bogus queries that
dont get answered in time.
Anyone have a similiar experience or security information on this?