dns protect rules update 7 04
What you don't allow is query(or recursion) from some un-trusted hosts
to resolve any hosts other than your DNS domains. For example suppose
you serve DNS for mydomain.com , then
Any trusted host "trusted.mydomain.com" should be allowed to do query
or recursion to resolve any other hostname on internet.
Any untrusted host "untrusted.OTHERdomain.com" should be allowed to do
query/recursion *ONLY* to resolve mydomain.com hosts.
Any untrusted host "untrusted.OTHERdomain.com" should *NOT* be allowed
to resolve (query/recursion) third party hosts (ex:
www.microsoft.com,www.cnn.com) using your DNS server.
more simple guidelines http://techrepublic.com.com/5100-6350-5287601.html
and new internet storm center guidelines http://www.theinquirer.net/?article=22352