"We would like (if possible) just to block the bogus requests automatically
and get a single message warning us that someone's infected."
The problem is, those aren't necessarily bogus requests. .glue is very much
a valid domain name, I have been to several .glue domain web sites.
Maybe this is the reason (in Bind's documentation) they don't recommend
logging all traffic if expected traffic is to be high.
At any rate, there are two basic methods to avoid this:
1) Log only things that go wrong
and 2) restrict TLD lookups
and why in the hell am I replying to a 3 year old post?
'Teach a man to fish...'
