So we all heard about the DNS flaw announced by DoxPara. Boy, was that a busy week for us! Turns out, the secure version of BIND has this little problem with CPU load, accompanied with complaints about file descriptors, above a certain number of DNS queries per second. Ouch.
The immediate key to get it under control was to add ulimit -n 4096 to named.conf so that BIND would use more of the available file descriptors. The fix with more breathing room was to install the next beta version of BIND that has better performance. We've been out of the woods since then, and we're no longer expecting another shoe to flatten us.
In fact, now we can relax while those who didn't patch have discovered that the flaw has been discovered before its scheduled public announcement ... yikes!