Deciding how much to overprovision your name servers is subjective: What is your online presence worth? Are there other components of your Internet-facing infrastructure that will fail before the name servers? Obviously, it's foolhardy to spend money to build first-class DNS infrastructure behind a border router or firewall that will fail well before your name servers even break a sweat.
If money is no object, it might be helpful to know that state-of-the-art DDoS attacks against DNS infrastructure can exceed 100Gbps.
Using Anycast can also help resist a DDoS attack. Anycast is a technique that allows multiple servers to share a single IP address, and it works particularly well with DNS. In fact, the Internet's root name servers have used Anycast for years to provide root zone data throughout the globe while still allowing the list of roots to fit into a single UDP-based DNS message.
To deploy Anycast, the hosts supporting your name servers will need to run a dynamic routing protocol, like OSPF or BGP. The routing process will advertise to its neighbor routers a route to a new, virtual IP address on which your name server listens. The routing process also needs to be smart enough to stop advertising that route if the local name server stops responding. You can glue your routing daemon to the health of your name server using code of your own construction -- or you can buy a product that takes care of that for you. Infoblox's NIOS, not coincidentally, includes Anycast support.
How does Anycast defend against DDoS attacks? Well, say you have six external name servers in two Anycast groups (that is, three sharing one Anycast IP address and three sharing another). Each group contains one member in the United States, one in Europe, and one in Asia. A host mounting a DDoS attack against you can only send traffic to -- and hence only attack -- one member of either group from any point on the Internet at a time. Unless attackers can source enough traffic from North America, Europe, and Asia simultaneously to swamp your infrastructure, they won't succeed.
Finally, there's a way you can take advantage of wide geographical distribution and Anycast at the same time, without significant capital outlay: Use a cloud-based DNS provider. Companies such as Dyn and Neustar run Anycast name servers of their own in data centers around the world. You pay them to host your zones and answer queries for your data. And you can continue to maintain direct control over your zone data by asking a provider to configure its name servers as secondaries for your zones, loading the data from a master name server you designate and manage in-house. Just be sure you run the master hidden (that is, with no NS record pointing to it), or you run the risk that an attacker will target it as a single point of failure.