My ISP says my network is attacking their DNS

Starting on the 13th, apparently there is a device on my network sending too many DNS requests to my ISP, triggering an automatic suspension of my account.

The second time it occurred, almost exactly one week later (#1: 8/13/18 ~10 AM; #2: 8/20/18 ~1 PM), a laptop of mine went down (UEFI settings and registry, still have not resurrected it). Apparently Cox (my ISP) does not suspend on the first "attack", so I wasn't aware of the issue until the second round. The timing was awfully suspicious, and I was hoping the dead laptop would be the end of this.

This morning (#3: 8/26/18 ~4 AM) marks the third "attack", and as I can now safely rule out the dead laptop, I am looking for other possible sources of these attacks.

There are 5 PCs on my network: 4 Windows and 1 Mac. I have run virus / malware scans on the Windows PCs but not on the Mac.

Apart from my router (with LEDE), I have a Ubiquiti UAC Pro and a Honeywell Wifi Thermostat. Beyond those devices, there are a few Android TV boxes, but none of those were ON during (at least) the last two "attacks".

I keep putting "attacks" in quotes because the almost "automatic" frequency of these occurrences suggests that perhaps some piece of software on my network is malfunctioning.

The most logical thing I can think of to do next is log all of my incoming/outgoing connections, and then try to match the next attack to an IP address on my network. From a cursory search, I believe what I will need to do is use some combination of iptables, sys_log, and a remote logging application. Is anyone aware of a tutorial hiding somewhere on the internet that would walk me through some of the steps?

Beyond that, is there any package I could install that would prevent this sort of thing from happening?

Note: Just as an intermediate test, I changed my DNS servers to Google. I'm also using YAMon to track bandwidth usage.

OpenWrt # tcpdump -ni <your WAN interface> udp dst port 53 and src net <xxx.yyy.zzz.0/nn>

If you run it over an ssh session, you'll be able to capture the results on your "desktop" machine and then look back at them.

tcpdump-mini package should be sufficient.

Thank you for the tip. I will try that and see how it goes.

Located an inordinate number of DNS Client Events on one Windows Machine. Have a feeling that machine is the source of my troubles.