What is the definition of a "protective" DNS service?

Solution 1:

First of all, this is more of a marketing term used to describe/differentiate various service offerings. The term is largely self-explanatory regarding what the service does more than just plain DNS (it also protects against something), but there is no technical definition of what exactly a service must do in order to qualify.

I have only ever seen this term used in the context of resolver servers, never about authoritative servers. (I can't immediately think of what an authoritative server would do in order to be "protective".)

Regarding your examples, I think services like Quad9 and OpenDNS are well known examples of publicly available services that can reasonably be called "protective", as these have filters for known "bad" domain names. Essentially they have a list of domain names that have been found to be used for malicious purposes and refuse to answer queries for these.

Similar filtering capabilities are more or less a standard feature for resolver server implementations that you can run yourself (what to filter is where the value lies, not so much how to filter).
For example, BIND, Unbound, Knot-resolver, PowerDNS-recursor all support Response Policy Zones (RPZ), which is a standardized format for policy-based name resolution overrides.
If you run your own resolver server and configure it to load an RPZ zone that blocks some known set of malware domains, your own server would also reasonably qualify as a "protective" DNS server.