How to deny query DNS server by external hosts and allow only short list of hosts query server. Solution has to be completed for hosts with dynamic IP

allow-recursion { address_match_list };

seems to solve the problem however I can't see the way to use hostname instead IP address (ie. dynamic IP registered with dyndns.com server)

I've never heard of a DNS daemon that does what you want out of the box, but there are a few roundabout ways you may be able to approximate the behavior.

The easiest way I can think of is to use a VPN or SSH tunnel to route DNS queries through. Unfortunately, it adds an extra step in setup and adds latency to your connections--but it at least would achieve the goal.

Without knowing more about what you're trying to achieve and the sort of clients you want to serve, it's difficult to give a better answer.

James

dnscache, found in the djbdns software package[1], is able to restrict which IP addresses and IP address ranges are allowed to query the DNS server.

[1] http://cr.yp.to/djbdns.html

Cheers,
Nick

You might also look to see what network ranges dyndns.com uses, then use iptables to allow those networks access to port 53 (denying everything else). Far from a perfect solution but it would narrow it down a lot.