Almost all unpatched BIND servers are potentially vulnerable. The fix for this defect is very localized to one specific area of the BIND code. The practical effect of this is that this bug is difficult to defend against (except by patching) and will not be particularly difficult to reverse-engineer. Screening the offending packets with firewalls is likely to be difficult or impossible unless those devices understand DNS at a protocol level and may be problematic even then. Please take steps to patch immediately.”]
Source: https://lists.isc.org/pipermail/bind-users/2015-July/095347.html