DNS domain blocking using UDP payload

when RULE_INIT {
    }
    when CLIENT_ACCEPTED  {

            if { [class match [IP::client_addr] equals bad_dns_users] }{

                binary scan [UDP::payload] H4@12A*@12H* id dname question
                set dname [string tolower [getfield $dname \x00 1 ] ]

                if {[matchclass $dname contains blackhole_domain]} {
                    drop
                }

                pool DoS_pool
            }
    }

As you can see, I changed the iRule a little bit. The goal was to "move" known offending clients to another pool where we could do a bit more ratelimiting and also to mitigate the affects of blackholing a domain to only clients that were already causing problems. Additionally, it means that we're only doing deeper inspection on a subset of our traffic. Finally, we have strict qps ratelimits on the hosts in the DoS_Pool.

Only clients on our network can access our resolvers and we have policies in place to prevent source ip address spoofing by customers.

The behavior I'm seeing is that even with the entry below in blackhole_domain, we're still seeing queries for that domain hit the DoS_pool. I think I'm missing something obvious...

\x08doohotok\x03com

07:58:55.640458 IP cl.ie.nt.ip.filenet-tms > po.ol.mem.ber.domain: 58824+ A? cmz.www.doohotok.com. (38)
    0x0000:  4500 0042 cd04 4000 ff11 ffff 0000 0000  E..B..@......9\`
    0x0010:  0000 0000 8000 0035 002e 59d4 e5c8 0100  .......5..Y.....
    0x0020:  0001 0000 0000 0000 0363 6d7a 0377 7777  .........cmz.www
    0x0030:  0864 6f6f 686f 746f 6b03 636f 6d00 0001  .doohotok.com...
    0x0040:  0001                                     ..