I would suspect that you are nating to the outside interface IP, and that these are late replies to internal dns queries. 220.127.116.11 is a valid dns server (ns1.netins.net) so this is unlikely to be an attack.
Did you happen to set your udp timeout to be lower than normal? Are you on a particularily slow or congested line?
DNS queries usually time out in 60 seconds, so there isn't -usually- any problem getting the answer back within the 2 minute default udp timeout setting.
Does 18.104.22.168 happen to be your regular DNS server? Or are hosts inside your system explicitly asking for DNS resolution from 22.214.171.124 (as opposed to them asking your internal DNS server for resolution and that internal DNS server then asks 126.96.36.199 for resolution)? If you have an internal DNS server, is
188.8.131.52 set as a host your internal DNS server forwards queries to? If your hosts are regularily presenting DNS queries to 184.108.40.206 and your hosts are setting the "want recursion" flag, and
220.127.116.11 is willing to do recursion for you, then it can end up taking more than 2 minutes to get a reply back and you might have to increase your udp timeout.
The "want recusion" flag is usually set for direct DNS queries, host to some server that is configured as its DNS server; it is also often set by internal DNS servers in making queries to a system the internal server has been configured to "forward" queries to. It is, though, if I recall correctly, usually not set by a DNS server in making queries to a random DNS server on the net as it goes through the standard name resolution process.
I've seen similar behavior after upgrading to our latest version of 6.x. I've been noodling around for an answer, but the closest thing I've seen a reference to is that this is somewhat of a "bug". I see these entries, though, for port 80 (HTTP traffic). We do run Websense, so I don't know if this is some sort of TCP connection timeout issue, something with Websense, etc. It is a pain because it really fills up the logs with a bunch of noise. I've tried tuning the log message types and priorities, but that hasn't helped too much.
I'd appreciate your thoughts as it would be nice to not have to filter through multiple gigabyte log files of junk to find items of concern. Thanks!