One word of caution when using cloud-based DNS providers: Most bill you at least partly based on the number of queries their name servers receive for data in your zones. In a DDoS attack, those queries might increase dramatically (completely outside of your control and not at all to your benefit), so make sure they have a provision for dealing with DDoS attacks without passing the cost of the traffic on to you.
How to avoid becoming an accomplice in DDoS attacks
Now you know how to configure your DNS infrastructure to resist a DDoS attack. It's nearly as important, though, to ensure that you're not complicit in a DDoS attack against someone else.
Remember the description of how DNS servers can amplify traffic? Attackers can use both open recursive name servers and authoritative name servers as amplifiers, sending spoofed queries that cause the name servers to send responses more than 100 times as large as the query to arbitrary targets on the Internet. Now, of course you don't want to be the target of such an attack, but you don't want to be an accomplice, either. The attack uses your name servers' resources as well as your bandwidth. If the target takes measures to block traffic from your name server to its network, then after the attack ends, the target may not be able to resolve domain names in your zones.
If you run an open recursive name server, the solution is simple: Don't. There are very few organizations that have any justification for running a name server open to recursive queries. Google Public DNS and OpenDNS are two that come to mind, but if you're reading this, I'm guessing you're probably not them. The rest of us should apply access controls to our recursive name servers to make sure only authorized queriers use them. That probably means limiting DNS queries to IP addresses on our internal networks, which is easy to do on any name server implementation worth its salt. (The Microsoft DNS Server doesn't support IP address-based access controls on queries. Read what you want to into that.)
But what if you run an authoritative name server? Obviously, you can't limit the IP addresses from which you'll accept queries -- or not very much, anyway (you might deny queries from obviously bogus IP addresses, such as RFC 1918 addresses). But you can limit responses.
Two longtime Internet "white hats," Paul Vixie and Vernon Schryver, realized DDoS attacks that use authoritative name servers for amplification exhibit certain query patterns. In particular, attackers send name servers the same query from the same spoofed IP address (or address block) over and over, seeking maximum amplification. No well-behaved recursive name server would do that. It would have cached the response and not asked again until the time to live of the records in the response elapsed.