Master NS managed by Hestia:
You would configure HestiaCP on the two external DNS servers with minimal software stack like nginx+bind9 only, without apache, exim, mysql, so nothing besides DNS would get serverd by them.
Then configure firewall to limit access to port 8083 and allow only the servers that are serving customer websites.
hst-install.sh --nginx yes --named yes --apache no --vsftpd no --mysql no --dovecot no --clamav no --spamassassin no --fail2ban no ...