DNS subsystem is a real headache to manage. You will realize that once you have to tweak the system, especially if you want to incorporate your own filtering/access-blocking rules.
And the DNS Cache Poisoning. It's a real threat.
While I believe my DNS subsystem is quite safe under the good-old djbdns servers, I am now testing the OpenDNS, a DNS cache service provider. One of the good things about OpenDNS is that they even allow a single-IPv4 address network to be individually managed, even it's dynamically allocated, as in most of the cases for non-static-IPv4 users.
If you can trust your ISP for the DNS management, you are on your own. But if you can't or don't, OpenDNS is a good alternative. I notice many ISPs still have not changed their DNS cache servers to prevent the poisoning attack as of today (July 24, 2008); using OpenDNS from such a mobile networking environment will make the whole DNS access much secure.
