for example "server.domain.test" to "172.17.17.1", and not anything else.
If you know what the answer is going to be (say it's always 172.17.17.1) then you can over-ride the host/domain with a local instance of unbound.
Do you mean constrain the request or the answer? Sounds like you mean the answer coming back.
If you only want one host to resolve one particular record would you not be better off doing something with that hosts host file and simply tell that host what that domain resolves to? Seems like a lot of extra trouble to go to getting the firewall involved at if I understand your use case correctly. If you think the IP might change more often a little bash script on another machine that can resolve all host name could make the update every 5 minutes or something if you'd with right?