BIND9 installed on CentOs security points

Your question is too broad and lacks too many details. You should look at RRL and RPZ as bind features that could provide at least parts of the solution, besides basic ACLs (not sure what you mean by filter clients: your recursive nameservers shouldn't be open to the world, while your authoritative ones have to) Your first step however would be to make sure to separate authoritative from recursive service.

@PatrickMevzek Thanks for your anwser, i will take a look for RPZ, as my knwoldege i don't think that we can filter querys types like A records, clients ip addresses, to be honest i know about RPZ feature i think can't do this, and since UDP port 53 is open, if one client is compromised how we can protect dns servers from those DNS attacks, i'm not sure that PSAD can block & identify those attack using signatures meanwhile do you have any idea how to detect DNS attacks or is sufficient using PSAD and iptables, no need to seim ? and thanks in advance.

"if one client is compromised how we can protect dns servers from those DNS attacks" Anyway you ask, before jumping to solutions, you will need to explain exactly against which attack you are trying to protect against (without a laundry list) because not clear what one client can do to a DNS server in your views.

@Patrick Mevzek, i agree it's not well explained from my side, So like DNS tunneling since port udp 53 is opnening in iptables, can the tool PSAD identify dns attacks based on signatures.Thanks in advance Patrick.

I sit in a Tesla and translated this thread with Ai: