Basic security..
- when installing OS, install only the necessary services
- do not install gnome or other gui
- install iptables and only allows tcp/udp 53
- for administration, use only ssh and only permit specific source ip addresses
- bind can be configure with acl and only allows recursive query for specific network
- do not allow remote access to root account even in ssh. user need to "su -" to root after successful login
Restrict the soa/master for access.
- You can hide it behind a fw and using private ip with no outside network access to it.
- Only allow internet access to slaves
- When registering NS to Domain Authority and NIC (for reverse zone), only register slaves.
- The only connection to/from soa/master is the zone transfer from soa/master to slaves
Remember to configure all NS to download the zone from the root monthly. This can be done by creating a script and run in cron
You can scan it using nessus every 2 months to check for vulnerability.