New remote DOS for ISC BIND (DNS) just announced:



https://www.isc.org/node/474



securityfocus has a poc:



http://downloads.securityfocus.com/vulnerabilities/exploits/35848.txt



if i got all my bits straight this should drop and log those packets in a cisco asa firewall:



policy-map type inspect dns preset_dns_map

match header-flag eq 0×2800

drop log