The best option to prevent this is called “fake root” or “hidden root”
I don’t know all the specifics and caveats, but basically you create a “Super Top Level Relay” and you give it the FQDN of what the root server has and then point that same domain at the actual IP of the root server in the “Super Top Level Relay”'s hosts file.
- Move content downloading to a Relay
- Interconnect 2015: Stanford University - Securing your IEM infrastructure
This approach has a few security and performance benefits by shifting load to a single “Top Level Relay” which can be swapped out or upgraded much more easily than the root server itself.
I would recommend 10gig (or better) networking between the “Super Top Level Relay” / “fake root” and the actual root server.