DNS servers - IP Filter

["Cheek, Leigh" <lcheek () UTK EDU>]

I am reviewing DNS servers with Solaris 10 and BIND 9.5.1b2. Solaris was
hardened to the Center for Internet Security Benchmark. I am looking for
best practices for configuring the IP Filter/IP Table.  

Our security team recommends configuring to IP Filter as follows: 
        Allow access to public services like DNS (53/udp, 53/tcp, and a
few others) and HTTP/HTTPS from anywhere.
        Allow access to other services (RPC, NFS, SSH, etc.) only from
those systems, which require access to them.
        Deny all others.
        If there are questions, do a traffic capture on those systems to
see what is actually being used and how would be a good start.


Do you have any thoughts or experiences on configuring IP Filter on DNS
servers? 


Thanks,
Leigh