This image was for 1 second, the client generates that amount several times, figuring out further to find out his CPE was "hacked". But I would like to know about this traffic before it gets worse, in this case I redirected the client to a secondary DNS
That's still well within the realm of normal traffic. The user could have a bittorrent client open for example that is doing reverse lookups on connecting IPs. You should always be careful with setting limits as not every user is the same and one person's outlier is another's normal traffic.
Obviously if you've determined the CPE is hacked then the discussion about DNS is moot, you should wipe and reinstall the CPE