You appear to be running an open recursive resolver at IP address 199.241.145.147 that participated in an attack against a customer of ours, generating large UDP responses to spoofed queries, with those responses becoming fragmented because of their size.

Please consider reconfiguring your resolver in one or more of these ways:

- To only serve your customers and not respond to outside IP addresses (in BIND, this is done by defining a limited set of hosts in "allow-query"; with a Windows DNS server, you would need to use firewall rules to block external access to UDP port 53)
- To only serve domains that it is authoritative for (in BIND, this is done by defining a limited set of hosts in "allow-query" for the server overall but setting "allow-query" to "any" for each zone)
- To rate-limit responses to individual source IP addresses (such as by using DNS Response Rate Limiting or iptables rules)

More information on this type of attack and what each party can do to mitigate it can be found here: http://www.us-cert.gov/ncas/alerts/TA13-088A

If you are an ISP, please also look at your network configuration and make sure that you do not allow spoofed traffic (that pretends to be from external IP addresses) to leave the network. Hosts that allow spoofed traffic make possible this type of attack.

Example DNS responses from your resolver during this attack are given below. 
Date/timestamps (far left) are UTC.

2015-02-17 05:17:57.132114 IP (tos 0x0, ttl 55, id 53417, offset 0, flags [+], proto UDP (17), length 1500) 199.241.145.147.53 > 66.150.164.x.22123: 53716 248/2/1 ozzr.ru. SOA[|domain]
0x0000: 4500 05dc d0a9 2000 3711 4ce8 c7f1 9193 E.......7.L.....
0x0010: 4296 a464 0035 566b 0fef 9be8 d1d4 8180 B..d.5Vk........
0x0020: 0001 00f8 0002 0001 046f 7a7a 7202 7275 .........ozzr.ru
0x0030: 0000 ff00 01c0 0c00 0600 0100 000d 6900 ..............i.
0x0040: 2b03 6e73 3103 7265 67c0 110a 686f 7374 +.ns1.reg...host
0x0050: 6d61 ma
2015-02-17 05:17:57.132961 IP (tos 0x0, ttl 55, id 53418, offset 0, flags [+], proto UDP (17), length 1500) 199.241.145.147.53 > 66.150.164.x.45407: 11404 248/2/1 ozzr.ru. SOA[|domain]
0x0000: 4500 05dc d0aa 2000 3711 4ce7 c7f1 9193 E.......7.L.....
0x0010: 4296 a464 0035 b15f 0fef e63c 2c8c 8180 B..d.5._...<,...
0x0020: 0001 00f8 0002 0001 046f 7a7a 7202 7275 .........ozzr.ru
0x0030: 0000 ff00 01c0 0c00 0600 0100 000d 6900 ..............i.
0x0040: 2b03 6e73 3103 7265 67c0 110a 686f 7374 +.ns1.reg...host
0x0050: 6d61 ma
2015-02-17 05:17:57.145065 IP (tos 0x0, ttl 55, id 53419, offset 0, flags [+], proto UDP (17), length 1500) 199.241.145.147.53 > 66.150.164.x.63745: 49828 248/2/1 ozzr.ru. SOA[|domain]
0x0000: 4500 05dc d0ab 2000 3711 4ce6 c7f1 9193 E.......7.L.....
0x0010: 4296 a464 0035 f901 0fef 0882 c2a4 8180 B..d.5..........
0x0020: 0001 00f8 0002 0001 046f 7a7a 7202 7275 .........ozzr.ru
0x0030: 0000 ff00 01c0 0c00 0600 0100 000d 6900 ..............i.
0x0040: 2b03 6e73 3103 7265 67c0 110a 686f 7374 +.ns1.reg...host
0x0050: 6d61 ma

(The final octet of our customer's IP address is masked in the above output because some automatic parsers become confused when multiple IP addresses are included. The value of that octet is "100".)

Created L7 firewall rule to limit the number of new incoming connections to port 53.

Also Read

brute force attempt
> Your IP address [162.253.128.212] has been blocked for attacking sshd > on our network....
UK SPAM Static IP Server
X-Originalarrivaltime: 25 Jul 2014 15:11:43.0391 (UTC) FILETIME=[BE648AF0:01CFA81A] MIME-Version:...
California - Notice of Claimed Infringement Case 8 Cases
-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1VIA EMAIL:Notice of Claimed Infringement via...
NL Abuse Complaint: Abuse complaint: ***UNCHECKED*** RBL Listing Notification - AS16265 - LEASEWEB
** This is an automated e-mail to inform you of an abuse complaint **   ABUSE TYPE: ATTACK...
DoS attack from the LiquidVPN Network
Dear Provider I’m George Egri, the Co-Founder and CEO of BitNinja Server Security. I’m writing to...