I've been aware for some time that my DNS isn't quite as securely configured as I'd like. http://crashrecovery.org/named/ looks pretty good, but the two main issues bugging me were:

  1. Anyone could do a 'dig @ns.dnorth.net dnorth.net AXFR' to retrieve a listing of all my DNS records - not great from a security point of view. This is a capability that should only be turned on for secondary DNS servers which need to fetch from the master.
  2. The server would perform arbitrary lookups [for any domain] on request. This means it's operating in 'recursive mode', which is a Bad Thing for various reasons.

The solutions were:

  1. Add "allow-transfer { "slaves"; };" (without the double quotes) to the section of the configuration beginning "zone 'dnorth.net'". Then add a section defining the "slaves" access control list to be the local server, plus the secondaries: "acl slaves { 127.0.0.1; 123.45.67.89; }" replacing 123.45.67.89 by the IP address(es) of your secondary nameserver(s).
  2. Add "recursion: no;" to the "options" section of the configuration.

Then restart the BIND9 service - on Debian, this is "/etc/init.d/bind9 restart".

Health warning: Don't do (2) above if you rely on your server to do its own DNS resolution - follow the crashrecovery tutorial above instead.