RFC 2827 provides exactly these recommendations.
[FYI: RFC 2827 is about ingress filtering to stop source address spoofing]
Does it? We are not talking about blocking RFC1918 traffic here;
I was.
what we are talking is blocking traffic where both SA(after NAT) and DA are public that contains a DNS request for a PRT like 8191CFR.in-addr.arpa, which requires to decapsulate the packet to inspect its content. It's not that simple.
I don't feel that a lookup for <something>.10.in-addr.arpa is all that wrong. This can be handled in many very reasonable ways, and the usual caching applies. Requests with unroutable sources are wrong because they break the protocol.
Iljitsch