I am not sure what your setup is, but I assume you want systems on you internal network to be able to access your DNS (port 53) and you want to keep everyone else out of your DNS?

Is your DNS on your firewall?

If DNS is running on your firewall, then you should have two ethernet interfaces.  Simply reject all UDP requests to port 53 on the external interface of your firewall with something like this:

ipchains -A input  -i $EXTERNAL_INTERFACE -p udp --destination-port 53 -j REJECT

Then allow all outgoing requests from your firewall to port 53 on other systems on the Internet with something like this:

ipchains -A output -i $EXTERNAL_INTERFACE -p udp --destination-port 53 -j ACCEPT

You could tighten this up by adding the source IP of you DNS server.  If you provide DNS ot all of you internal systems there should be no need for any of them to try and access a DNS on the Internet, but you DNS server will need to be able to.  Try something like this:

ipchains -A output -i $EXTERNAL_INTERFACE -p udp -s $EXTERNAL_IP --destination-port 53 -j ACCEPT

On the internal interface of your Firewall/DNS you could then allow incomming traffic from from your internal systems like this:

ipchains -A input  -i $INTERNAL_INTERFACE -p udp -s 192.168.0.0/16 --destination-port 53 -j ACCEPT

If your firewall and DNS are not on the same system then try blocking all incomming DNS requests at you firewall like this

ipchains -A input  -i $EXTERNAL_INTERFACE -p udp --destination-port 53 -j REJECT

And allow your DNS server to access other DNS on the internet with a rule like this on your firewall:

ipchains -A output -i $EXTERNAL_INTERFACE -p udp --destination-port 53 -j ACCEPT

Hope that helps a little,
Dusty

"Linux is for people who hate Windows. BSD is for 
people that love unix."