You want a secure and fast DNS server that must also be quickly accessible remotely.
You should:
A.
Reject all udp packets.
B.
Reject all icmp packets.
C.
Reject all icmp untrusted-host packets.
D.
Disable inetd, run ssh_d and named as standalone daemons.
E.
Use tcpwrappers to only allow connections to ports 22 and 53.