Potential DNS DDoS (query (cache) './NS/IN' denied)

I started getting a ton of these in my DNS logs a few days ago:

Jan 19 05:33:47 comp named[4488]: client 76.9.31.42#55056: query (cache) './NS/IN' denied
Jan 19 05:33:53 comp named[4488]: client 76.9.31.42#30931: query (cache) './NS/IN' denied
Jan 19 05:33:59 comp named[4488]: client 76.9.31.42#31789: query (cache) './NS/IN' denied
Jan 19 05:34:06 comp named[4488]: client 76.9.31.42#38458: query (cache) './NS/IN' denied
Jan 19 05:34:12 comp named[4488]: client 76.9.31.42#31734: query (cache) './NS/IN' denied
Jan 19 05:34:18 comp named[4488]: client 76.9.31.42#52640: query (cache) './NS/IN' denied
Jan 19 05:34:24 comp named[4488]: client 76.9.31.42#12441: query (cache) './NS/IN' denied
Jan 19 05:34:30 comp named[4488]: client 76.9.31.42#20453: query (cache) './NS/IN' denied

Doing some research on the IPs, I've been seeing some talk about a potential DDoS attack in progress. Basically it's flooding the spoofed source with replies. To counter this, I thought I would create a rule in fail2ban to block if there are 50 of these in a short span. This effectively is working, but I'm wondering if should just block the problem sources until the storm has passed. Currently, these are the IPs I'm seeing

69.50.142.110
76.9.16.171
76.9.31.42
69.50.142.11
66.230.160.1
66.230.128.15

There are few mentions of this on the web. Dshield seems to be the most active so far: http://www.dshield.org/indexd.html

There is also a only tool at isc.sans.org where you can verify if your DNS server responds to "." queries with a full list of root name servers. The link is here:
http://isc1.sans.org/dnstest.html

As you can also see, I commented below with a fail2ban rule to identify and block these.. if they're being denied.

I just noticed the same thing what filter did you set in fail2ban? Thanks

This is what I'm using right now /filters/dns.conf. I have the maxretry set to 20 and bantime set to 14400. I might crank bantime much higher.. or just add it to iptables all together.

[Definition]

# Option:  failregex
# Notes.:  regex to match the dns denied queries in /var/log/messages. The
#  host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = : client <HOST>#.*: query \(cache\) './NS/IN' denied

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

in debian lenny you have to edit /etc/fail2ban/jail.conf change to this section:
[named-refused-udp]
enabled = true
port = domain,953
protocol = udp
filter = named-refused
logpath = /var/log/syslog

Restart and done.