Today I spotted some attempts to perform a zone transfer from one of the DNS servers I manage. Given this is on CentOS 7 and therefore using by default Firewalld, I had a quick read of the documentation regarding how best to drop these attempts.
Here we go;
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="x.x.x.x" service name="dns" drop'
And that was all that was required. Note that single quotes are used to contain the entire string.
Should you need some bed time reading, then I would highly recommend reading the following;