The issue was a large number of dpt 80 rules that are added by a script from Snort exploits. The suggested solution was to move these to a new chain so that only packets destined for httpd would have to traverse several hundred (hopefully temporary) rules. Not only does this make logical sense but I notice a definite improvement in DNS (which is the most apparent performance issue). Thanks.
