I've been wondering if the UDP nature of a DNS server makes it harder to protect. Particularly coupled with the amplification attacks that DNS makes possible.
That's part of the problem. DNS servers should probably reject queries that require long answers when they come in over UDP. If you want a zone transfer, use TCP. That prevents amplification attacks.
Yes, it does. But no, it does not seem to make any difference this one time.
In a DNS based amplification attack, you use several DNS servers to take down some other unrelated service, this time it's just a lot of devices in a botnet attacking the DNS servers directly.