As everyone knows, an important threat against the Internet is that of a coordinated DDoS attack against the root TLD DNS servers. The way I”d solve is with a simple inline device that both blocks some simple attacks from hitting the DNS server, but which can also answer simple queries, offloading the main server, even if it”s failed. This can be done with \$2000, half for the desktop machine, and the other half for the dual-port 10-gig Ethernet.