The SYN/ACK DDoS attack I referred to works no matter what's running on the victim--it's targeted at the victim's resources--not any particular server. The attacker sends SYN packets at each host he wants to send traffic to the victim, with the victim's IP in the source address. The server SYN/ACKS to the victim, whose stack doesn't have a clue what to do with the packet. Gibson has a write-up on this attack somewhere on grc.com, if I remember correctly.
SYN/ACK is only a vulnerability if the server accepts TCP connections. Since DNS is nominally a UDP protocol, it's connectionless. There is no SYN/ACK handshake to create a connection: a request comes in, a reply goes out. If the server doesn't reply to the request for any reason, it's the responsibility of the application to retry or take other action. That's what the U in UDP means: Unreliable.
The DNS protocol does provide a TCP port for name service, but convention discourages its use. I wouldn't be surprised if the root servers don't support it, due to the resources that would be required to support a large number of users.
However, zone transfers (which update DNS servers) use TCP in order to preserve data integrity. There are presumably some security measures in place to protect against a SYN flood.
It turns out that this was indeed a DDoS attack, but it was a flood of ICMP echo requests. That made it very easy to filter with a firewall, although the attack apparently ended very quickly. See this posting for details.