> > Add a logging rule just before dropping packets for a given chain.

# append new rule to end of INPUT chain before DROP policy catches it
# See also: iptables(8)
iptables -A INPUT -j LOG  --prefix Dropping -m limit --limit 10/second
iptables -A FORWARD -j LOG  --prefix Dropping -m limit --limit 10/second
iptables -A OUTPUT -j LOG  --prefix Dropping -m limit --limit 10/second

Essentially, you can add a log rule right before any of your accept
rules as well.  Instead of using -j ACCEPT, you use -j LOG.

If you don't want to screw with your firewall, I suggest you install
wireshark or tcpdump and watch your eth1 interface for DNS requests,
just to make sure they're coming in.

You could also create a rule that counts request for DNS entries on
the eth1 interface.

iptables -I INPUT -i eth1 -j LOG -p tcp --dport 53 -m limit --limit 10/sec
iptables -I INPUT -i eth1 -j ACCEPT -p udp --dport 53
iptables -I INPUT -i eth1 -j LOG -p udp --dport 53 -m limit --limit 10/sec
iptables -I INPUT -i eth1 -j ACCEPT -p tcp --dport 53

Maybe create a chain for logging ACCEPT or DROP.

iptables -N LogAccept
iptables -A LogAccept -j LOG --prefix Accepting -m limit --limit 10/second
iptables -A LogAccept -j ACCEPT

iptables -N LogDrop
iptables -A LogDrop -j LOG --prefix Dropping -m limit --limit 10/second
iptables -A LogDrop -j DROP

Create one for DNS
iptables -A INPUT -i eth1 -j LogAccept -p tcp --dport 53
iptables -A INPUT -i eth1 -j LogAccept -p udp --dport 53

# And the last rule...
iptables -A INPUT -i eth1 -j LogDrop

Enjoy!
-- 
Chad Walstrom <chewie at wookimus.net>           http://www.wookimus.net/
           assert(expired(knowledge)); /* core dump */