As I can’t reply to the original thread here; DNS DDoS via multiple exit relays causing performance issues? - #2 by gus but I do wanted to share my quick-fix → I created this thread.
The issue is starting to get more frequent for me. So I currently have experimental restart cronjob of the unbound service on my relays. Unbound should never exceed even 10% sustained, but I’ve set it at 35% currently. If bad actors will abuse this to try to DOS me, I’ll migrate to another solution (e.g. GitHub - artikel10/surgeprotector: Block Tor Exit traffic to flooded IP addresses via ExitPolicy.) - but for now this seems fine. Either way, the attacks seem quite manual from what I can tell. When I remove the bad actor from my nodes, they start using other high bandwidth nodes of mine within 5 - 10 minutes sometimes. Some fun whack a mole. It’s also still sporadic, but frequency is increasing.