Hi Mark,
I think setting an immediate timeout for the UDP traffic might eliminate the high connection count problem. I'd suggest testing it on a non-production virtual server first though.
I could see DNS parsing being a useful feature for LTM. It can't hurt to open an RFE case with F5 Support.
You could log the DNS requests, but it would be binary data. You could use binary scan to parse it. Nat Thirasuttakorn added a great codeshare example for this:
http://devcentral.f5.com/wiki/default.aspx/iRules/DNS_decoding.html
The act of parsing and logging locally so many events itself could potentially take the box down or affect production traffic handling. You could try using the HSL:: commands to do this.
http://devcentral.f5.com/wiki/default.aspx/iRules/hsl
If it were me, I'd probably just capture a tcpdump and analyze it off the LTM. Not very sexy, but it would have the least impact.
Aaron