As for our recursive nameservers, we've got about 3 different sets of IP addresses, for various legacy reasons. All of these are being hit with a large number of queries (that are as far as we can tell, legitimate) from people outside our network who are using our resolvers for what looks like a number of different reasons. Some of the resolvers have been on these addresses for over 10 years, so it's not surprising.
There's going to be quite a challenge to lock those open resolvers down, and we're debating how to do it at the moment - the industry comms process will be interesting, I'm sure, and I'm sure many people on this list will have a busy day fixing up old boxes that can't when our messages have been ignored :-)
Would be interested in any experience people have with something similar..
In the past I've split off legacy IPs on resolvers to a different server and installed a completely open Bind resolver on it. Log IPs and contact people who are under your control (on your network I guess). Then hack bind to return one IP address as an answer to any standard query. We just did A and MX. That IP points to a server under your control. Install Apache, postfix, courier-pop3d, etc on there and serve various types of bogus data telling people what to do. It worked well for me. YMMV. I suppose in your case you might need to somehow redirect DNS requests that originate off-net to this other nameserver at your borders or configure this DNS server to handle off-net requests a bit differently. From memory bind will support that. Also, I can't recall if its been mentioned here before but we used a pretty simple approach to split recursive from authoritative nameservers without breaking any customer DNS. It worked well for us. If anyone wants details feel free to ask. It truly didn't seem that hard. Dave