Are you sure this isn't a BIND problem and not iptables? If it's iptables then you should log all droped/rejected packets and find out which ones are dropping and why.
Do you have some funky rules like dropping fragmented packets or anything else?
Some BIND servers use TCP instead of UDP to transfer zone info but this may(not) be your problem.. LOG, LOG, LOG and if it doesn't catch it then it's probably a BIND issue..
Another possibility is that the DNS request-response cycle is taking longer than conntrack allows. I have not found a way to tune this. If you suspect this is a problem, consider dropping stateful inspection for DNS packets and use pure packet filtering rules to see if that fixes the problem.
Some of the DNS lookups from dig are taking upwards of 30 seconds with some DNS servers.
Satch
--
"The beautiful part of writing is that you don't have to get it right the first time, unlike, say, a brain surgeon." --Robert Cormier
