You want a secure and fast DNS server that must also be quickly accessible remotely.
You should:
A. Reject all udp packets.
B. Reject all icmp packets.
C. Reject all icmp untrusted-host packets.
D. Disable inetd, run ssh and named as standalone daemons.
E. Use tcpwrappers to only allow connections to ports 22 and 53.