Hello, i think somebody should write a short and simple FAQ for this. This type of questions are appearing very often.
I belive that, you do not need to add special filtering rules for forwarders, secondaries, etc. Properly configure your DNS server, use ACLs. Using netfilter you can not judge whether TCP:53 packet is a zone transfer or just a query. Regards, Maciej Soltysiak
