The issue was a large number of dpt 80 rules that are added by a script from Snort exploits.
The suggested solution was to move these to a new chain so that only packets destined for httpd would have to traverse several hundred (hopefully temporary) rules.
Not only does this make logical sense but I notice a definite improvement in DNS (which is the most apparent performance issue).
You'd probably also want to make sure you don't use any connection tracking rules and therefore not load the conntrack module. In my case, dns queries took seconds (as opposed to milliseconds) to get an answer back from the dnscache.
