I have updated Deadwood today to not only check the ID (and port number) [1] for incoming queries, but also to make sure the query is the same (the answer the remote server sends us should match the question we gave them).
It can be downloaded at www.maradns.org/deadwood.
- Sam
[1] The way Deadwood verifies the port is the somewhat hackey way of "connecting" with a UDP socket in the function make_remote_connection(). Once this is done, the only UDP query allowed to reply to the UDP packet we send is one from the same IP and port number.