I have to run dns servers since most suppliers are technically incapable of doing dnssec (my blog) That was before dnssec became um famous and some kind of now offer it, but your average hoster will probably not offer a complete solution hence why i do what i do and prefer it that way.
So one day i setup fail2ban (my blog) and get it logging dns errors as well as what already does and within seconds it is logging odd traffic from China and the Seychelles and instantly I have two bans. The non hosted zones return the appropriate get lost and fail2ban sends the block to the firewall.
The zone query (not the zoo) is an odd one and an indicator of probing. Dnssec remains working as does the contents of the file.
The seychelles has its rogues and crooks and they have been blocked before for other issues so no surprises there in fact you might be impressed by the amount of junk traffic in those tubes.