I am glad I took my lumps and disabled public recursive resolving many years ago on my BIND installations. Only do that for local IP ranges! This eliminates all the resolver issues. Also I found that when the DNS server was open I was getting a constant stream of repeated unusual TXT lookups from remote IP's which were for oddball domains. These TXT records contained many K of data. I suspect these requests were fake source IP requests being used as some sort of bandwidth DOS attack, working like a Smurf PING attack.