Seriously, say, I block (return, not drop of course) UDP :53 in to my authoritative nameserver. Resolvers will fall back to TCP and I won’t need any rate limiting against spoofed source IPs. Because the spoofed victim of a DDoS attack would only get the connection refused equivalent of UDP or TCP ack, not a much larger DNS answer.
Simple solution, everything is fine. Or isn’t it that simple?