Forward DNS queries of a subdomain to another port

As far as I can tell, this is impossible. It's as if the BIND authors have explicitly went out of their way to make sure no one can accomplish this - at least, not without making your server an open resolver.

• Unlike some other DNS software, BIND does not support a "forward" record type (which would simply make the software consult a different server when matched). There is no way to add forwarding at the "zone" level.
• Although it's possible to create a forwarding (type forward) zone for a subdomain, which also allows querying a DNS server on an arbitrary port, for some reason this requires enabling the allow-recursion option to work.
• However, the allow-recursion option cannot be specified at the zone level - it can either be a global option (and enabling it there opens your server's DNS up as a public resolver), or in a "view".
• Views allow grouping zones and applying certain options (including allow-recursion) to them, however, since their purpose is to restrict by client/server IPs, they will also not behave as one might expect and match even zones that are not explicitly specified in them (thus making your server a public resolver).
• BIND does have a way to restrict queries to only those zones explicitly listed in a view: a blank allow-query at the view level, and allow-query { any; }; at the zone level. Unfortunately: option 'allow-query' is not allowed in 'forward' zone. That's the verbatim message BIND gives you.