I'll tell you what I know about this, but I'd investigate it further as I'm nore of a software developer than a hardware security guy. Get a nice fiber optic connection to your datacenter and create some kind of relay station in it. You should have your DNS point to various IPs that host the website. (I think) Make the system check which IP has the lowest load and send people to that IP. In order to mitigate a DNS DDoS, create lots of DNS entries with your domain registrar so that various DNS servers answer the call. That's the reason you have back up DNS name servers in the first place. The registrar tells ICANN what your name servers are and ICANN always can (haha) stay up.

As long as you do all of that, you should be able to mitigate a DDoS attack.