F5 GTM DNS - high number of requests

Thank you JRahm and AubreyKingF5 for your responses.

To clarify and answer/confirm AubreyKingF5 questions or recommendations (in blue) :

1. Turn off tcp DNS if on. - our GTM is set to answer UDP only.
2. UDP timeout can be immediate. When flooded, UDP acts almost like streaming video.. it will blow up each connection as wide as it can and then take every connection possible. You end up with port exhaustion and eventual collapse. Make a new UDP profile and apply it to your DNS VIP(s). - that was the first thing we did back in June/July when we noticed the events. As you see in the below screenshot, by lowering the UDP 53 from 40 sec default timeout to 10 sec default timeout, we are now facing ~350K connection (while initially we were with ~1.2Mil connections) . The UDP 53 timeout was set on the Firewall, that is in-path between Internet and F5 GTM .
   
   
   
3. AFM. Immediately. For the price, what AFM brings to the table is immeasurable. If you use an iRule, you will need to open all of your packets at layer 7.. and how many connections are you getting? Your processors will scream. AFM allows you to do the majority of the heavy lifting earlier in the HUD chain.. before a packet ever even hits a VIP. You can filter DNS at the global context... or route domain. - so, we have AFM enabled, but only with an DDoS profile for DNS and that didn't helped that much, as the DNS queries are valid, like A or AAAA or CNAME queries, not bad ones.... 
   Is it possible to get some documents/recommendations for AFM set-up for DNS (doesn't need to be specific for DNS as we can et an ideea out of it and build it ourselves). 
   
   
4. IP Intelligence.. but make sure you're getting your updates on a VLAN that does not feel inbound DOS pain.. EVER. Why IPI? How many of those clients are people? We update IPI every 5 minutes. - We certainly can start looking into this too, and enable certain filters based on the IP Intelligence, and like for the AFM, we ask for some documents/recommendations for IP Intel set-up in general.
   Thing is, the IP's that reaches use are not BAD - like those ones from this morning (194.226.75.82, 194.226.75.83, 212.12.0.2, 173.212.200.42, 213.136.95.11, 193.232.160.48, 194.226.75.81, 193.232.160.51, 5.148.43.44, 193.232.231.81) I searched them on different lists and they are OK IP's. 
   [or from an "attack" a week ago 194.226.75.81, 194.226.75.83, 193.232.230.82, 193.232.230.81, 194.226.75.82, 193.232.160.48, 193.232.160.50, 193.232.160.49, 193.232.160.51, 193.232.231.81] 
   This is why we were not looking into getting those IP's BLOCKED on our Firewall, as others would be used next. We wanted to identify the exact attack and drop that specifically. So since all the queries are normal DNS queries , we thought that using an iRule that would DROP queries for records not existing in our GTM, would be a better approach 🙂 .
   
   
5. Fancier.. Flowspec from your GTM to your perimeter routers. If a DOS event is triggered, blackhole that IP. - Right, therefore we struggled a bit to get the DNS logs out of F5 and be able to filter throuh and with some inteligence, we would extract all the IP's that are getting an REFUSED response back in 1 min or so, and if that happens over 50 or 100 iterrations  a minute, we would block that for a certain period. It's still a work-in-progress but we're close 🙂 .
   
   
6. Consider calling in F5 SIRT, if it's bad. They will put an easy stop to it for a consulting fee. As Jason mentioned, platforms are fast and easy to implement, if needed. - Thank you for the recommendations , so we're not in a critical position now, as we have it cotained - if we can say so 🙂 .
   

So, our take from all this is to look on the AFM and IP Intelligence and in the end (if this doesn't get the results as expected) we could go with the iRule we've talked about .

If there are any other ideeas, please share .

Thank you and have a great weekend,