You want a secure and fast DNS server that must also be quickly accessible remotely. You should:

A.
Reject all udp packets.

B.
Reject all icmp packets.

C.
Reject all icmp untrusted-host packets.

D.
Disable inetd, run ssh and named as standalone daemons.

E.
Use tcpwrappers to only allow connections to ports 22 and 53.

Explanation:
If you want a dedicated DNS server, that must be accessible remotely, you should run named and sshd as standalone services, and not with the inetd (or xinetd).
??? tcpwrappers can not block connections to specific ports ???