Securing DNS (BIND/named)

• use latest (bug-free) software
• restrict zone transfers (allow-transfer)
• restrict dynamic updates (allow-update) -- this is probably the default
• turn off recursion (recursion); or
• restrict recursive queries (allow-recursion)
• restrict queries (allow-query)
• maybe disable glue fetching (fetch-glue)
• limit use of rndc (allow)

For default options only allow-queries only for internal network; then allow-query for all for zones you're authoritative for. A slave doesn't need to allow zone transfers.