Quick followup: I installed ISPConfig 3 on the production server. It's been up for about a week and I haven't seen the "dns: sendto() failed" error on that box at all so I suspect this was
a development box/name server issue - just like till said.
BTW - the errors I saw when ISPConfig's firewall and fail2ban were both writing to iptables looked like this:
2010-11-02 22:24:33,124 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q fail2ban-ssh returned 100
2010-11-02 22:24:33,124 fail2ban.actions.action: ERROR Invariant check failed. Trying to restore a sane environment
Configuring fail2ban to use ip route
instead of iptables fixed those errors right up.