I just ran into this and thought it prudent to post something here in case I ever run into similar strange behavior in the future. I decided to evaluate Windows Server 2012. In doing so, I created 2 domain controllers – each running the AD bits, DNS and DHCP (btw, DHCP failover config in Server 2012 is painless and takes just 3 clicks). I adjusted my network gear with the ip helper addresses for the domain controllers (away from my linux server that was previously handling DHCP and DNS) and changed the DHCP scope and static IP assignments to point at the new DNS servers. I quickly noticed very slow DNS resolutions and in some instances complete DNS resolution failures. I dug into my linux host to see if there were machines attempting to access named, but there were none – furthermore, dhcpd and named services were stopped and turned off in chkconfig. I then took a look in /var/log/messages and found insanely frequent NAT create/delete events being logged from my internet router via syslog. So, I took a look at the rsyslog flags in /etc/sysconfig/rsyslog and I only had “-c 5” which simply sets the compatibility mode to 5. So I thought – hmmmm, maybe rsyslog is trying to do lookups…dug into rsyslog options or “syslogd_options” and found -x, which disables lookups. Bounced rsyslog and viola! No more crazy DNS traffic from the syslog server… whew…