I've got 14 msnbc machines querying the hell out of my server, and I can't figure out how to block them. I've tried using ipchains to DENY all of their traffic individually, but it doesn't seem to affect their ability to query me at all.

Here's some of my rules:
Chain input (policy ACCEPT):
target prot opt source destination ports
ACCEPT tcp -y---- anywhere anywhere any -> domain
ACCEPT udp ------ anywhere anywhere any -> domain
DENY all ------ cpns01.msnbc.com anywhere n/a
DENY all ------ cpbigip01.msnbc.com anywhere n/a
DENY all ------ cpbigip02.msnbc.com anywhere n/a
DENY all ------ tkns01.msnbc.com anywhere n/a
Chain forward (policy ACCEPT):
Chain output (policy ACCEPT):

Here's a sample of my daily logs:

Mar 9 05:47:09 strider named[1078]: client 207.46.245.12#42335: query (cache) denied
Mar 9 05:47:09 strider last message repeated 2 times
Mar 9 06:09:26 strider named[1078]: client 207.46.150.10#15677: query (cache) denied
Mar 9 06:09:26 strider last message repeated 2 times
Mar 9 06:26:54 strider named[1078]: client 207.46.245.10#14331: query (cache) denied
Mar 9 06:26:54 strider last message repeated 2 times
Mar 9 06:47:52 strider named[1078]: client 207.46.150.16#31274: query (cache) denied
Mar 9 06:47:52 strider last message repeated 2 times

I know I can use blackhole in named.conf to (probably) get rid of these, but why isn't ipchains dropping their requests for me?

At the technical, level, you can't block anyone until they (ie packets) reach your machine (obviously).
The only perm soln is to contact msnbc and complain. They control the user, so should be able to do something.
Actually, the names are interesting: "ns" prob means nameserver and "bigip" is an IP load balancer pkg.
Sounds like their DNS server/load balance setup needs tweaking. Try contacting their sysadmins.