I hear ya buddy, and I can’t be critical. Like I said, here I am the Linux nerd patching our DNS servers for a very nasty vulnerability.
There is something though called “SELinux” (Security Enhanced Linux) that could make web borne threats a moot point. But it’s such a PITA to deal with that no rational, sane people run it.
So we're gonna use it then ?.........:o)