Andrew,
Yes, I noticed that my device is actually blocking the traffic by implementing SYN Cookies and SYN Flood firewall rules. It was logged by the system, but no SYN_Floods made it through.
Further inspecting the firewall, only 5 packets in over 20,000 were dropped. Perhaps the SYN Flood setting is too sensitive for a series of multiple DNS queries at the same time. The "block SYN Flood" setting is pre-built by LEDE, so I'll have to review the rules as they pertain to behavior with TCP DNS queries.
- KB3VWG
So not sure if your concern is primarily about the SYN flood or something else, but the system tuning in SYN cookies is a great thing. Essentially it's a challenge-response for the users to do the heavy lifting before the host goes through the motions to set up a TCP flow and consume resources. Essentially this limits the 3WS to completing only for valid connections.