It may be the case that your organization does not wish to give complete lists of your hosts to anyone on the Internet who can reach your name servers. While it is still possible for people to ``iterate'' through your address range, looking for PTR records, and build a list of your hosts the ``slow'' way, it is still considered reasonable to restrict your export of zones via the zone transfer protocol. To limit the list of neighbors who can transfer zones from your server, use the xfrnets directive.
This directive has the same syntax as forwarders except that you can list network numbers in addition to host addresses. For example, you could add the directive
xfrnets 16.0.0.0
if you wanted to permit only hosts on Class A network number 16 to transfer zones from your server. This is not nearly granular enough, and a future version of BIND will permit such access-control to be specified on a per-host basis rather than the current per-net basis. Note that while addresses without explicit masks are assumed by this directive to be networks, you can specify a mask which is as granular as you wish, perhaps including all bits of the address such that only a single host is given transfer permission. For example, consider
xfrnets 16.1.0.2&255.255.255.255
which would permit only host 16.1.0.2 to transfer zones from you. Note that no spaces are allowed surrounding the ``&'' character that introduces a netmask.
The xfrnets directive may also be given as tcplist for compatibility with interim releases of BIND 4.9.