DNS servers must only ever answer queries for authoritative domains, and local IP ranges, they must never answer for third parties.
The dangers in not doing so are many and serious, including DDoS attacks.
Securing Bind is as easy as adding an ACL, and permitting it in named.conf
acl "trust" { localhost; 10.100.100.0/24; 2001:ffff:ffff:ffff::/64; };
options {
...
allow-query { trust; };
allow-query-cache { trust; };
...
}
Securing Unbound is as easy as adding access-control statements in unbound.conf
server:
access-control: 0.0.0.0/0 refuse
access-control: 10.100.100.0/24 allow
access-control:2001:ffff:ffff:ffff::/64 allow
...