By default the DNS server listens on all interfaces / IP addresses. Most DNS servers set to allow recursive queries should not be listening on a public interface / IP address. Doing so allows them to be used in a DNS applification attack (a type of DDOS), ref: US-Cert DNS Amplification Attacks.
Configure the DNS server to only listen on internal addresses.
dnscmd <ServerName> /ResetListenAddresses [<ListenAddress> ...]For help:
dnscmd <ServerName> /ResetListenAddresses /help TechNet: Restrict a DNS server to listen only on selected addresses