My reply assumes that your servers are exposed to the Internet, and being used in a DDoS. A NAT firewall and any better-grade gateway, for instance, will block these attacks by default. (It is possible to explicitly allow TCP or UDP 53 traffic through most of these devices, however. It's also possible that infested systems located behind the firewall for DDoS, though that's less common.)
Please use Shields Up or another port scanner, and find out what ports you have open and visible to the 'net.
I do not know of a way to selectively disable DNS access to the ports on recent OS X Server versions using the standard tools, short of an external firewall; to allow local access, but block remote access. (There are ways to do this, but not GUI-based. Again, this assumes the DNS server is exposed to the 'net.)
Figuring out what happened usually involves viewing the DNS log files, to determine whether the DNS server is malfunctioning (or is possibly being attacked), and potentially also monitoring the network traffic.