Sourcefire VRT developed a rule to detect the “back scatter” of the attack in the form of excessive NXDOMAIN packets being sent by a DNS server. The problem is that the return code field is only four out of the eight bits in the byte. We cannot simply use a byte_test on the value 6 because if any of the other flags in that byte are set the test will fail. We must synthesize the value of 6 by checking each bit individually with its own byte test.”]
Source: https://blog.talosintelligence.com/2008/08/checking-multiple-bits-in-flag-field_29.html