I am trying to secure a Secondary DNS server using MS TCP/IP filtering.



<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-shaped-firewall-holes.html#ZoneTransfer>

[...] but the problem remains in that opening TCP ports 1024-65535 is not much better than turning off filtering assuming that you have nothing listening in the well-known port range.

That depends from the capabilities of your firewall and whether it can distinguish connect() from listen().  You have to enable only TCP connections from those local ports, not TCP connections to those local ports.