I doubt the person behind DDoS specifically wrote the bots to resolve the domain name every now and then while sending packets. Why add such overhead? I don't know many programmers who ever need to write anything like that. Actually it is usually even the opposite, people force their software to automatically use IP addresse after resolving the IP for the very first time to reduce overhead.
Most likely all the machines behind DDoS had the domain name IP locally cached and with most router/computer configurations if you are actively using some addresse it takes very long time to flush the local cache. In fact it might never happen if you constantly query something from that domain.
Saying that the attack didn't go over to btcguild and because of that they are to blame is funny. You must really hate them very much slush.
Um that would be the worst botnet operator in the history of computing industry.
To defeat this "idiot botnetter"
Step 1: change local IP address of server being attacked. Setup a dummy server to take the DDOS attack and assign it the attacked IP address.
Step 2: update DNS so attacked domain points to new IP address.
Step 3: you winz because the idiot is now targetting nothing.
Obviously the botnet needs to periodically use DNS to keep the attack "on target". If you read Slush indicated (both in this thread and durring the attack) that he changed the DNS record to point to new servers multiple times and EVERY SINGLE TIME the attack followed the updated DNS. He also added new domains pointing to new servers and the attack expanded to include those.
There was one exception .... when he pointed the DNS to BTC Guild servers. Then and only then the attack didn't follow the DNS change.
I am not saying BTC Guild was behind it but it is at least "interesting".