Given that, how big a problem could open recursive name servers be? Pretty big. The Open Resolver Project has collected a list of 33 million open recursive name servers. Hackers can fire spoofed queries at as many of these as they like to spew isc.org data at your Web server, name server, or border router until it chokes.
That's how DNS-based DDoS attacks work. Thankfully, we have a few ways to combat them.
How to weather the storm
The first order of business is instrumenting your DNS infrastructure, so you'll know when you're under attack. Too many organizations have no idea what their query load is, so they'd never know if they were being attacked in the first place.
Determining your query load can be as simple as using BIND's built-in statistics support. The BIND name server will dump data to its statistics file when you run rndc stats, for example, or at a configurable statistics interval. You can examine the statistics for query rate, socket errors, and other indications of an attack. Don't worry if you're not sure what an attack will look like yet -- part of the goal of monitoring DNS is to establish a baseline, so you can identify what's abnormal.
Next, take a look at your Internet-facing infrastructure. Don't limit yourself to your external authoritative name servers; examine your switch and router infrastructure, your firewalls, and your connections to the Internet. Identify any single points of failure. Determine whether you can easily (and cost-effectively) eliminate them.
If possible, consider broad geographical distribution of your external authoritative name servers. This helps avoid single points of failure, of course, but it also helps when you're not under attack. A recursive name server resolving a domain name in one of your zones will try to query the authoritative name server closest to it, so geographical distribution will tend to provide better performance to your customers and correspondents. If your customers are clustered in certain geographies, try to place an authoritative name server near them to provide the quickest responses.
Perhaps the most basic way to combat DoS attacks is to overprovision your infrastructure. The good news is that overprovisioning your name servers isn't necessarily expensive; a capable name server can handle tens or even hundreds of thousands of queries per second. Not sure what your name servers' capacity is? You might use query tools such as dnsperf to test your name servers' performance -- preferably using a test platform similar to your production name servers in a lab rather than the production servers themselves.