Because I do not understand your DNS, this suggestion may be completely
inappropriate, but have you considered a "recent" match for your iptables
firewall? Something like:

# This only limits the number of NEW connections, sending the remainder
on
# to the rest of the rules in the chain from which it was called (INPUT).
# This limits each IP.

iptables -N DDoS

# Check /proc/net/ipt_recent to see the content of 'recent' lists.
# --name is the name of the table; use --name when more than one
'recent' match
# is used so the table matches the intended use.
# --rcheck checks to see if IP is in list '--name NAME' without updating
the
# entry's timestamp (use --update for that).
# --rttl makes sure the ttl for this IP is the same as last time (helps
prevent
# IP spoofing).
# --update updates the timestamp in the list. Cannot use --update and --
rcheck
# in the same rule.
# If IP is in list ddos then drop connections in excess of 17 per second.
# Tune it if it DROPs too much for your setup.

iptables -A DDoS -m recent --set --name ddos

# Allow if hitcount is less than 18.

iptables -A DDoS -m recent --name ddos --rcheck --seconds 1 \
--hitcount 18 -m limit --limit 12/h --limit-burst 1 -j LOG --log-prefix
"DDoS "
iptables -A DDoS -m recent --name ddos --update --seconds 1 \
--hitcount 18 -j DROP
iptables -A DDoS -m recent --name ddos --rcheck --seconds 1 \
--hitcount 1 -j RETURN
iptables -A DDoS -j RETURN

---
# Limit the number of NEW connections.
iptables -A INPUT -i $IFE -p tcp --tcp-flags SYN,RST,ACK SYN -j DDoS
---

The syntax to change the DROP rule:
iptables -R DDoS 3 -m recent --name ddos --update --seconds # \
--hitcount ## -j DROP

This way, you don't have 5K rules.