After adding some extra logging (domain and qtype), I noticed that our
most prevented query was "_nos._tcp.nos-avg.cz.|SRV", which seems to be
used by the AVG Antivirus updater. I considered whitelisting that
record in the lua-script, but then I noticed that all the other blocked
things were fairly legit looking, too.
This isn't intended as a complaint, as the script certainly does what it
says on the tin. However, people who deployed the script may consider
monitoring if it breaks anything they care about.
For anyone interested, I changed the logging line like so:
pdnslog("Protected "..remoteip.." against an overly large response of "..len.." bytes. Query was: "..domain.."|"..qtype)