Private resolvers are normally found on corporate/restricted networks and are not publicly accessible. They are often located on private IP address subnets (RFC1918, for instance), limiting reachability from the rest of the Internet (with or without the use of access control lists/filters). Private resolvers are in some cases part of a trusted computing domain (e.g., Active Directory).
There are two types of best practices for private recursive resolver operators: DNS security and privacy, and DNS availability and resilience. In addition to these two categories specific to the core DNS, all operators must pay careful attention to practices related to hardening their core system security.
DNSSEC validation MUST be enabled for recursive resolvers.
ACL statements MUST be used to restrict who may send recursive queries to your DNS resolvers/validators.
QNAME minimization MUST be enabled to mitigate leakage of domain names.
Authoritative and recursive DNS service MUST NOT coexist on the same DNS server.
At least two distinct servers MUST be used for providing recursion services.
Monitoring of the services, servers, and network equipment that make up your DNS infrastructure MUST be implemented.