generally using something like ISC BIND you can set filters and easily create an external view and internal view, so that you can do split dns based on network connection. if doing something like this test it and then test it again to make sure there is no leak due to a typo.
it would be easier if we knew what you were standing up the servers for. if it is for example your own domain name, you want something simple like a couple of A addresses and an MX record then you don't need to deviate much. if you are looking for dynamic dns updates you want to make sure you have auth by secured ip (encrypted traffic) and you want to guard your keys to allow DDNS. DNSSec is to prevent MITM attacks such as DNS cache poisoning, and you can see some starter material at ISC BIND website [1] In terms of "hack my dns server" there are many things that can hamper it - something at the bleeding edge like gentoo is ace for this kind of thing (*cough* centos is prehistoric *cough*) and if you were to load up metasploit with ISC specific filters you can try to see what is vulnerable. you can filter by CVE on your favourite website [2] If the server is public facing then you want to be wary of such goodies as recursive lookups as these can contribute to DoS attacks. you might also like to try flooding the server with DNS or spoofed ip and see what it responds to. these are not necessarily dns server specific but UDP server specific and you can start to get an idea of scalability. in terms of primary to secondary then you have to question the underlying layers -- is this being xferred across the internet ? internally over vpn ? are your secondary servers going to be full secondaries or just caching forwarders ? how will you control zone transfers ? consider filtering the type of queries, and the size of queries also consider the consequences of a hack. use selinux or similar, make sure dns running in its own username and/or namespace. primary target though has to be to change dns zones, so to make www.example.com map to www.clickads.com, so make sure that you have a remote server doing lookups regularly and report anomalies. hope this gives you a few directions to explore! [1] http://www.isc.org/downloads/bind/dnssec/ [2] https://kb.isc.org/article/AA-00913/0/BIND-9-Security-Vulnerability-Matrix.html
