DDoS depends on public addresses acting as a clients pounding your DNS server with thousands of recursive queries at once. If your DNS server isn't public, then it isn't a open resolver, and a client on the internet can't query it directly.
In our case, we have a local DNS server, available to the internet, as a backup to our ISP-hosted DNS. This server is typically vulnerable. But it's set with a higher cost so it won't be used unless ISP goes down.