Re: flees indeed
Switching to TCP would fix the spoofing issue. Amplification is still an issue but at least we'd get some real IP addresses out of it to track down the botnets, making every attacking host reveal itself.
DNSSEC would be nice, but that fixes a different problem and I think I prefer DNS over TCP - or rather TLS, which is an easier thing to do.