How to configure Bind9 as forwarder only?

Question

I need to configure a DNS forwarder server and so far I've stumped over this tutorial. See the config below. My issue is that I don't want to block clients(i.e. goodclients) from accessing the server because I'm planning to publish it in the domain name NS records. The question is how can I configure it for forwarding only (no querying) in a secure manner ? Basically I want to use the forwarder as a "vanity" server without the risks of DDOS mentioned in the article.

acl goodclients {
        107.170.41.189;
        localhost;
        localnets;
};

options {
        directory "/var/cache/bind";

        recursion yes;
        allow-query { goodclients; };

        forwarders {
                8.8.8.8;
                8.8.4.4;
        };
        forward only;

        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

Answer 1

If I understand your question correctly, that you simply want to allow queries from all clients but only allow recursion/forwarding for select networks, it would appear that you probably didn't actually want to set allow-query in the first place but rather set allow-recursion instead.

It's well worth reading the official manual (linked above) regarding the allow-* settings, in particular the defaults and how these settings interact.