> Restrict resolvers to your customer networks. And if you have authoritative DNSSEC zones or other zones with large answers it might be a good idea to look at rate limiting the authoritative servers: http://www.redbarn.org/dns/ratelimits - Sander