I run a "hidden primary master" DNS setup on BIND, so only secondaries are visible to the outside world. The firewall currently permits traffic from the Internet to both udp/53 and tcp/53 on the secondaries and everything seems to work fine.
Each day however, I see a load of "refused notify from non-master" log entries from external addresses that have nothing to do with me. I understand what the log entries are telling me there, but I'd rather not have all this "noise" in my logs.
As only the secondaries are Internet-facing, can I safely deny tcp/53 traffic from the Internet to prevent the "refused notify from non-master" entries, or is there a good reason to allow tcp/53 traffic to the secondaries? The master is behind the same firewall and would not be affected by the this firewall change.