Hi,
It's been a while since my last post on Devcentral. And in order to help resolve the above doubts, I share the following:
1. [DNS::len] > 512 and domain [DNS::question name] 4 are filters to improve the performance of the solution. Both are adaptable to the particular needs of each customer environment.
2. 512 is a good starting point to analyze DNS messages and any below that will not be processed by the iRule. Also it's aligned with RFC 7766 in order to switch to TCP for messages whose sizes exceed the DNS protocol's original 512-byte limit.
3. [DNS::question name] 4 is a good starting point for the domain name entropy. The larger this number is, the more granular and effective the protection will be, but the size of the table can grow very quickly, worsening iRule performance.