Currently, our nMaxIPs when learning from DNS seeds is 256. @TheBlueMatt pointed out to me that if one of the seeds decided to actually return that many addresses, it would bias the addresses we add to AddrMan and consequently choose as our initial outbound peers. A quick drill -t of all the current seeds show that none yielded more than 26 results, meaning that if any of the seeds decided to return all 256 results (perhaps malicious ones), results from that seed would take over more than half of AddrMan.

If there were no TCP-fallback, this wouldn't be too much of a problem as at maximum we could fit around 31 IPs in a UDP packet. However, it seems that glibc uses the TCP-fallback by default, which would mean that obtaining 256 IPs is entirely possible.