Hackers only need to look up an A record to a (sub)domain they control. The victim's IP and credit card(s) can be encrypted and encoded into an ASCII DNS name eg ip.creditcard.comprimised.dyndns.org
The lookup might fail but the hackers' DNS server would have a log of the lookup or they could just reply with whatever data they want ie an IP thats really a fragment of remote command data.
Therefore remote command requests and replies wouldn't even need to rely on TXT records and any usual proxying and UDP/TCP filtering of port 53 would not help.
I guess the thing to look out for is to be suspicious of A records that aren't the root or www AND to clamp down on excessive lookups on the same domain.
Practical solution? Get payment service providers to host "secure DNS".