Basic security..

- when installing OS, install only the necessary services

- do not install gnome or other gui

- install iptables and only allows tcp/udp 53

- for administration, use only ssh and only permit specific source ip addresses

- bind can be configure with acl and only allows recursive query for specific network

- do not allow remote access to root account even in ssh. user need to "su -" to root after successful login

Restrict the soa/master for access.

- You can hide it behind a fw and using private ip with no outside network access to it.

- Only allow internet access to slaves

- When registering NS to Domain Authority and NIC (for reverse zone), only register slaves.

- The only connection to/from soa/master is the zone transfer from soa/master to slaves

Remember to configure all NS to download the zone from the root monthly. This can be done by creating a script and run in cron

You can scan it using nessus every 2 months to check for vulnerability.