It has to do with the source ports of requests being predictable.

could it be as simple as spamming a bunch of gratuitous DNS response?

The CERT advisory, MS08-020 and MS08-037 seem to indicate this is spoofing with predictable source ports / TXID values.

However MS08-037 also makes references to DNS cache logic changes so there might be something subtle in there.