At the start of November this year we moved to a DNS service called Neustar/UltraDNS to add the ability to do load balancing and link failover for our websites as well as host our DNS records. Prior to this our DNS had been hosted with our ISP which provided no additional service other than name resolutions.
The first 3 weeks on the product have been great. However starting on Thanksgiving day and continuing to now we have had a flood of DNS queries against the service from foreign entities. This has pushed us above our contracted service level which adds expense. Since we didn’t have any sort of reporting prior to this product I am having a hard time determining what is normal and how we should respond to it. Our query volume has went up nearly 50x what it was prior to Thanksgiving day. We have not made changes our sites or infrastructure or site during this time. The majority of the DNS requests are coming from Saudi Arabia but also a wide range of other countries. We are a small regional firm that has no international exposure or client base outside of a two state radius in the US.
Since we have never needed to manage outside DNS in the past are there things we should be doing to guard against this or are there items we should be asking our DNS provider to do? They are saying this traffic does not appear to be a DNS attack, but they also get revenue based on query volume so I am looking for outside ideas. They have instructed us to lower the TTL on our domain names as well as contact our ISPs to put blocks on the IPs from the top foreign IPs hitting our domains.