Preventing Vexation and Woe: DNS Fundamentals, Part 2 - Page 4
Separating DNS Caches From DNS Servers
This is a crucial step for securing DNS. Caches and servers must have different IP addresses. If they share the same IP, an intruder who gains control of one will be able to control both, which means controlling both your incoming and outgoing DNS. It also means they can hijack your email and all traffic intended for your domain.
The modular structure of djbdns means installing only what you need to use. Rule #1 of security is unnecessary services increase vulnerability.
dig, domain information groper, is a dandy little utility and study tool. Use it to study how other DNS admins configure their zones and to see how your own zones look from the outside.
DNS is a surprisingly large subject. The djbdns home page is a great place to start, as it contains tutorials for every aspect of DNS. See also the relevant RFCs, they explain what all those mysterious abbreviations mean in more detail.
RFC 1035. See also 1591, 2181, and 3071
djbdns home page
Stroud's CWSApps, search here for Windows DNS and proxy software
Tinydns: Kiss Your Bind Good-Bye
Kiss Your BIND Good-bye: In-Depth Configuration with Tinydns
bind vs djbdns thread on the BIND Users Mailing List