If your DNS server responds to “.” queries with a full list of root name servers then it could be used in a DDoS attack.

Test this by issuing:

dig . NS @yournameserver

This should be run from outside of your network to get the “real” picture.

An online tool on isc.sans.org can be used to verify this as well.

result:

Good. your name server refused the query
 
Testing 5.42.134.35 (5.42.134.35)
 
/usr/bin/dig . NS @5.42.134.35
 
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-25.P1.el5_11.8 <<>> . NS @5.42.134.35
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 35224
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
 
;; QUESTION SECTION:
;.				IN	NS
 
;; Query time: 141 msec
;; SERVER: 5.42.134.35#53(5.42.134.35)
;; WHEN: Fri Jul  8 10:21:12 2016
;; MSG SIZE  rcvd: 17

Internal is fine if it returns with a full list of root name servers.

dig . NS @192.168.1.1

returns:

; <<>> DiG 9.16.1-Ubuntu <<>> . NS @192.168.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13820
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.				IN	NS
 
;; ANSWER SECTION:
.			86057	IN	NS	k.root-servers.net.
.			86057	IN	NS	j.root-servers.net.
.			86057	IN	NS	m.root-servers.net.
.			86057	IN	NS	l.root-servers.net.
.			86057	IN	NS	g.root-servers.net.
.			86057	IN	NS	i.root-servers.net.
.			86057	IN	NS	c.root-servers.net.
.			86057	IN	NS	h.root-servers.net.
.			86057	IN	NS	e.root-servers.net.
.			86057	IN	NS	f.root-servers.net.
.			86057	IN	NS	b.root-servers.net.
.			86057	IN	NS	a.root-servers.net.
.			86057	IN	NS	d.root-servers.net.
 
;; Query time: 0 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Sun Jan 10 19:24:48 GMT 2021
;; MSG SIZE  rcvd: 239