You can specify which remotes to allow for outgoing XFR and NOTIFY zones
.
remotes { slave { address 127.0.0.1@53; } any { address 0.0.0.0/0; } subnet1 { address 192.168.1.0/8; } subnet2 { address 192.168.2.0/8; } } zones { example.com { file "/var/zones/example.com"; xfr-out subnet1, subnet2; # allow outgoing transfers notify-out slave; update-in subnet1; # only allow DNS UPDATE from subnet1 } }
You can also secure outgoing XFRs with TSIG.
keys { key0 hmac-md5 "Wg=="; # keyname algorithm secret } remotes { any { address 0.0.0.0/0; key key0; } } zones { example.com { file "/var/zones/example.com"; xfr-out any; # uses 'any' remote secured with TSIG key 'key0' } }