"The fact that the noisemakers kept coming anyway lead me to a rather obvious conclusion: Any IP address that generates a 'denied' response from our name server is up to no good, and can legitimately be blackhole routed at the Internet-facing interface. Implementing the solution was (no surprise) a matter of cooking up some scriptery, including one that tails the relevant logs closely, greps out the relevant information and one that issues a simple route add -host $offendingip 127.0.0.1 -blackhole for each offending IP address. My users reported vastly improved network conditions almost immediately"
Sounds like reinventing fail2ban to me.. and writing an article about it. He even says what really worked was 1) removing the domains from his named config and 2) refusing to talk to the IP's that were obviously DDOSing.. #2 is what fail2ban does automatically and dynamically..