Yes, it should be the default. But not turning off recursion entirely.
I’ll set it to:
allow-recursion {127.0.0.1;};
This will allow Webmin and all of its stuff to work, while still preventing outside users from querying your server.
I don’t consider this a major concern, security-wise, as all of the cache poisoning holes that are an issue have long been resolved…but still, it can be a vector of attack for DoS and other stuff (if someone were trying really hard), so it’s worth closing by default.
Next revision of virtualmin-base will set this, by default.