high volume from outside our networks question

[Steven Carr]

As we've already pointed out it is something in the way your system is
configured (you're doing everything in global options instead of using
views to separate the different "classes" of users) and that you are
running both authoritative and caching functions on the same server.

You can create 2 views "authorised" and "everyone else" which both
reference the same domain zone files so you dont need to duplicate the
zones. For the authorised view there is an ACL limiting who can access
the view, the view also has recursion enabled. For the unauthorised
view it is listed second in the config file, there is an "any" ACL on
the view and recursion is explicitly disabled. That should do what you
want it to do.

Also, do you really need to run caching services for your external
customers? 8.8.8.8 and 8.8.4.4 are there for this type of requirement.
DNS amplification problems are only going to get worse in future given
the effects enabling DNSSEC cause, so if you are going to take on
hosting your own DNS be sure your pipe has plenty of bandwidth
otherwise I'd generally leave it to the ISPs who have enough bandwidth
to deal with a DDoS.

Steve