At this point in time, most of the DNS resolvers support TCP and, there are a VERY large number of DNS resolvers (~30 million) that pose a threat.
You are correct. If the response to a query (such as the one in my example) would be larger than the size allowed for a UDP packet, TCP is used. However, this does not change the parameters of the attack. UDP is used in the query because (other than the obvious) it is a connection-less protocol which requires no handshake, in turn making it easier for an attacker to spoof the source address. The transmission of the response could be UDP or TCP, doesn't really matter. As long as you have amplification in the response and a well written attack script querying the resolver.. You end up sending a lot of DATA, all at once.
So they could spoof the TCP connections the same as UDP? I mean if the connecting using TCP it'd just be a bunch of connection establishing attempts intead of a bunch of datagrams.