-
Attacker might generate fake NS records pointing to victim's DNS zone. If the zone contains wildcard the attacker might force us into packet exchange with a (lame) DNS server on that IP address. We now limit number of consecuctive failures and kill whole request if limit is exceeded.