We have F5 Big-IP VE with license GTM(DNS). I have configured gslb.example.com zone in ZoneRunner and delegate it in our external (ISP) DNS servers in order to our clients get information for zone gslb.example.com from our F5 big-IP VE. Notify, that there is a PaloAlto 3020 in front of F5 Big-IP VE.
How can I protect my DNS Listeners from DDOS and other attacks?
Modern security device has the capabilities to protect network from attack such as DOS, DDOS, Syn flood etc. As you said palo alto is front then F5 DNS. So these devices has DDOS protection machanism. If possible add one more layer between palo alto n F5 DNS.