You want a secure and fast DNS server that must also be quickly accessible remotely. You should:
A.
Reject all udp packets.
B.
Reject all icmp packets.
C.
Reject all icmp untrusted-host packets.
D.
Disable inetd, run ssh and named as standalone daemons.
E.
Use tcpwrappers to only allow connections to ports 22 and 53.
Explanation:
If you want a dedicated DNS server, that must be accessible remotely, you should run named and sshd as standalone services, and not with the inetd (or xinetd).
+ tcpwrappers can not block connections to specific ports ???