One easy way is that in your options section set allow-query { none; }; (or list the addresses/networks you want to allow), and then for each zone you are master/slave for add an allow-query {any; };
eg
Code:
options {
listen-on { 127.0.0.1; 1.2.3.4; };
allow-recursion { 127.0.0.1; 1.2.3.4; };
allow-query { 127.0.0.1; 1.2.3.4; };
directory "/etc/zones";
};
zone "example,com" {
type master;
file "master";
allow-query { any; };
};
(here "1.2.3.4" is my own IP address)
Now anyone asking for "." will get a REJECT packet. This isn't the same as blocking the traffic, but the response is the same size as the request so you aren't amplifying the traffic.
In addition you can use the blacklist{} option to block known bad addresses.