If its public facing - then your going to have allow connections.. Why would you block people from doing queries to your nameserver for a public domain?
I am confused to why you would want to block someone from doing a query to your public name server? Do you feel this is some sort of dns attack? If you feel its an attack, again a sniff of the traffic between you and the IPs would be helpful - they could simply being doing queries to your domain.
that state you posted from what your xx out, I have to assume that is your IP. So that state is from your box to that public IP. So is your name server also use for recursive lookups?
Do you allow queries for domains that your not authoritative for? Normally this is bad practice for a public facing server that is authoritative for zones.
udp 188.8.131.52:53 <- 192.168.1.7:43101 SINGLE:MULTIPLE
I just did a query from a box on my network to ns1.yahoo.com which is that IP.
;; Query time: 20 msec
;; SERVER: 184.108.40.206#53(220.127.116.11)
So you can see my state above. The direction of the arrow is from MY ip to that public nameserver to port:53
In your state that looks like your server talking to that 18.104.22.168 IP Which looks like http://forum.kazahstanki.com/
to me. when I look up that IP http://www.robtex.com/ip/22.214.171.124.html#ip
Now I show that also the IP for www.kazahstanki.com
-- which be warned looks to be a adult related site. Not blocked by my work filters
For all we know someone is posting on that site with a signature pointing to something in one of your public domains, so that your getting a lot of queries for the record. Again a sniff will give you lots of info to work with. On pfsense do a capture under diag for port 53, and take a look at what is the traffic actually is.
If you just looking to adjust the timeouts for states. Yes they can be adjusted - what do you have your firewall set to in advanced, firewall optimization? normal, conservative, aggressive, high latency? I am set to normal, and show these as the state timeouts
]/root(1): pfctl -s t
tcp.tsdiff 30sudp.first 60s
adaptive.start 58200 states
adaptive.end 116400 states
But since you say your running a public facing dns - its going to get lots of traffic I would assume, depending on the domain(s) in question being hosted on it.
But to answer your question directly - just putting in the block would not clear the state table. Put in your block, and then flush your states and then you should block after you clear the states.
Also keep in mind if this server is doing recursive for say your local users -- that could generate all kinds of dns traffic. Does your name server just forward, or does it do lookups from roots? Dns can generate lots of weird traffic from all over the globe
Keep in mind allowing recursive lookups from public is not safe practice - this can be used for simple dos attacks to take down your dns. Not to that big of deal if you only allow recursive from your own users. But I would look to make sure you have a very valid reason to allow recursive from public. And going to have to be appropriately sized for the amount of traffic running public dns can generate. Also look to what your TTLs are set to. Low TTLs can generate a storm of traffic depending on the popularity of the domains being hosted.