IPtables: is there a minimum UDP packet size for a DNS lookup?

Limiting by size is probably not what you want to do. Using Nmap as your example scanner, note that with the --data-length option an attacker can use packets of any length. Also, as I commented below your question, Nmap uses valid payloads for 39 of the most common UDP ports in order to solicit a payload. Not to mention that some protocols allow and even require the server to respond to an empty packet.

Don't despair, though. There is plenty that iptables can do to make life difficult for someone who wants to scan you. UDP scanning is notoriously difficult, since the success condition (an open port) is negative (no response) in most cases. Linux already rate-limits the closed-port response (ICMP port unreachable messages) to one per second, which makes scanning even slower. Here are some ideas:

• Use the DROP target instead of REJECT will slow down scanning significantly.
• Add LOG targets for common UDP destination ports that you do not use, then check your logs frequently
• Use the limit and hashlimit matching modules to set upper bounds on reasonable connection rates. Be careful with these, though, or you'll block legitimate access.
• Finally, realize that port scanning happens. If an adversary knowing what ports you have open is game-over for you, then spend your time on securing your services, not experimenting with creative iptables rules.

Also, I don't quite understand how nmap's UDP packets can be 0 bytes.

0 bytes of payload. The packet still has the IP and UDP headers.

I was wondering whether there's a minimum packet size for a DNS lookup?

Well, let's take a look at http://www.netfor2.com/dns.htm since that's easier to read than the RFC.

Every octet is a byte, so we've got:

• Header: 12
• Question 4 (class and record type bytes) + at least 1 (the domain being queried), so 5+

Thus, any packet coming into the server should have at least 17 bytes of payload + IP, UDP, and link protocol headers.