Most likely all the machines behind DDoS had the domain name IP locally cached and with most router/computer configurations if you are actively using some addresse it takes very long time to flush the local cache. In fact it might never happen if you constantly query something from that domain.
Saying that the attack didn't go over to btcguild and because of that they are to blame is funny.
For people who has problem with reading:
But *everytime* when I changed DNS records to new IP or even when I created yet another DNS record (do you remember my post about new DNS api3.bitcoin.cz last week?), attack followed those changes in DNS or posts on forum almost immediately
So your post about caching of DNS is teoretically correct, however in real life it work differently.