the ( serious and maintained ) patches from http://www.redbarn.org/dns/ratelimits/ provided by Vernon Schryver and Paul Vixie can really be useful to protect against DNS DOS

 I couldnt find any useflags for that in the BIND gentoo ebuild, and I think it could be a good feature to add a use flag for these patches

" DNS Response Rate Limiting (DNS RRL) which is an experimental feature for ISC BIND9. It is expected that this technology will someday be included in a standard BIND9 release. For now it is available only as a version-specific patch.

These patches and instructions pertain to authority name servers or authoritative views. Use of this kind of rate limiting for recursive or hybrid servers or views is currently unspecified. "

Technical note describing the implementation and operation of DNS Response Rate Limiting (RRL) : http://ss.vix.com/~vixie/isc-tn-2012-1.txt

Draft text for BIND9 Administrators Reference Manual (ARM) describing DNS Response Rate Limiting (RRL) : http://www.rhyolite.com/temp/rl-arm.html