use Net::DNS::Packet;
    ...

    my $udp = NetPacket::UDP->decode($ip->{data});

    if ($udp->{src_port} == 53) {
        my ($dns, $err) = Net::DNS::Packet->new(\$udp->{data});
        eval { $dns->string };

        if ($@) {
            warn "Blocking invalid DNS packet\n";
            $ipq->set_verdict($msg->packet_id, NF_DROP);
        } else {
            warn "Permitting valid DNS packet:\n\n", $dns->string;
            $ipq->set_verdict($msg->packet_id, NF_ACCEPT);
        }
    }