According to graylog, we're looking at having blocked 15000 or more connections from internal IP addresses each day. Also, logs on cp13 indicate that UFW is blocking ns1 and ns2 regularly, which seems to be causing the cp to depool in gdnsd.
I've confirmed we seem to have a problem with TCP packets being marked as status invalid. Adding a temporary iptables rule to log all packets that match -m state --state INVALID reveals that a large portion of traffic coming into cp13 (including from ns1!) is being flagged by the kernel as invalid. In theory, we can add a rule to drop invalid packets, as the TCP stack should recover itself. However, I don't think this is a decent solution, and I will be looking into deeper debugging to try and identify the root cause.