@castarco I don't see how it protects against DoS attacks. The DoS problem is caused by badly written regexes that take "forever" to fail, so the regex engine is busy trying all possible variations to make the regex match a given string (assuming a standard backtracking implementation).
Making quantifiers non-greedy (by appending ?) does not change the number of ways a regex can match, nor does it shortcut the matching process. It simply changes the order in which alternatives are tried.
In the case of X*, the normal order is to try to match as many X's as possible and only "give back" matches if the rest of the regex fails to match. With X*?, the regex engine will try to match as few repetitions as possible (i.e. 0 at first) and only consume more if the rest of the regex fails to match. In either case all possibilities are tried before giving up.