or how about using an NS that returns ICMP errors instead of NXDOMAIN,
perhaps using anycast for reducing network load?
ICMP is not particularly useful unless the nameserver uses
connected sockets. Now that randomised ports are used this
well may be true but there are still lots of nameservers that
don't see the ICMP message even it makes it past the firewalls.