Further to that, it looks like we're being hit by this
http://foxpa.ws/2010/07/21/thwarting-the-isc-org-dns-ddos/
which is a very large number of clients all making ANY requests for isc.org.
The problem is that a lot of the source addresses are within our network, suggesting that we either have a lot of infected customers, or they're spoofed and someone is targeting our customers with unsolicted dns responses.
Looks like a new DDOS out there.. anyone else seeing it ?