Tom,
X-Frame-Options is an HTTP response header, and there are multiple places where it could be added - sometimes there is a Web Application Firewall between the web server and the evil internet, so it could as well be added there. Also MVC does add this header since (don't know).
When it is in the web.config file, it typically looks like this:
<system.webServer>
...
<httpProtocol>
...
<customHeaders>
...
<add name="X-Frame-Options" value="SAMEORIGIN" />
...
</customHeaders>
...
</httpProtocol>
...
</system.webServer>
Unfortunately you don't have much options. DENY (denies it always), SAMEORIGIN (allows displaying the document from the same web server) and ALLOW-FROM https://example.com/ (allows it from this domain only). And the bad thing with the last option is: it does not allow multiple domains to be entered.
And: It is deprecated. It should be replaced by a CSP (Content Security Policy) statement, like
Content-Security-Policy: frame-ancestors 'self' example.com *.example.net;
You see you can allow multiple ancestors if you use this. But be careful with creating a CSP, chances are good that your site won't work anymore. There is a report-only option that displays possible issues in the browser console, so it is good to test it against all pages of your site this way. And you can use the great report-uri.com as a good tool for creating and maintaining your CSP.
Happy DNNing!
Michael