Rate limiting
It was a bit of a mistake to default DNS to UDP which can be spoofed trivially by anyone with raw socket access on an OS but we're stuck with it. Turning off ANY is RFC ignorant, therefore rate limiting would seem to be the answer - per host, preferably, allowing a couple of queries through then logarithmically adding treacle. Should stop any amplification shenanigans well enough, although it does potentially open another DoS vector via spoofed UDP.