If you are using PlugProxy instead of Bind that means between the client and target zones all the protocols can get through which are using UDP
When you say "all the protocols can get through which are using UDP" then I get nervous. Are you saying that using PlugProxy for UDP is somehow more dangerous than using PlugProxy for TCP?
I think I now understand what you meant. When you said "protocol" you were probably thinking at the application layer, but when I read "protocol" I was thinking at the network or transport layers. Sorry, I'm still used to thinking in terms of packet filtering only. Okay, so what you said makes sense, but that still doesn't tell me where I should put my master and slave name servers that will be authoritative for my own domain. I guess I'll go back to my _DNS and Bind_ book, and see what I can come up with...