Hi, great question by the way.
Bind based DNS
Best practice design for BIND-based DNS calls for using one primary DNS server and as many secondary DNS servers required to support your environment for each DNS zone.
In this scenario, the primary server for each zone is authoritative and is the only location where updates for a zone can take place. Secondary and tertiary servers and so on, help process the load of DNS queries.
The process by which secondary and tertiary servers are kept up to date is zone transfers. By default — at least on the Microsoft Windows platform, zone transfers are permitted by any server — or anyone for that matter, making a request.
To mitigate this first concern, it is recommended to restrict zone updates to authorized servers only. This is done by adding the IP address of all servers authorized to perform a zone transfers to the authorized servers list for each zone on the primary server. It is also a good idea to configure each zone to notify secondary servers when an update is available to initiate a zone transfer.
Active Directory-Integrated based DNS
Active Directory-Integrated DNS is different from BIND based DNS in that it does not use a primary-secondary method of replication. Instead, each DNS server is for all intents and purposes, ‘primary’. This means that zone updates can be applied at any DNS server responsible for a zone. The changes will then replicate to all remaining DNS servers during the next AD replication cycle.
Something to consider with AD-Integrated DNS is dynamic updates. Dynamic updates allow hosts to update their own host records in DNS. This is a useful feature, however, zones should be configured to allow secure updates only to prevent unauthorized updates.
Dynamic DNS is a common feature today, so this may very well be applicable to other flavors of DNS, not just Microsoft.
There is a great feature called “restricted groups” in AD that allows group membership for built-in and created groups to be managed by group policy. For example, a policy can be created so that there are no members in the DNSAdmins group. When a change needs to be performed, a user account or group can be added to the group; however, the user or group will be removed automatically by group policy during the next replication cycle. This ensures that users and groups are not granted elevated privileges and permissions indefinitely; also from administrators adding themselves to groups.
Good luck and remember to have fun!