Bind9 timeout from LAN, server listening on port 53

Question

I have a very wierd situation with Bind9 on Ubuntu Xenial. The server is listening on port 53 (tested with portqry from windows boxen that are trying to use it as a local DNS server) but it's timing out on requests like:

> dig @192.168.1.6 YYY +search

; <<>> DiG 9.11.0-P3 <<>> @192.168.1.6 YYY +search
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

Search-domain is set properly on windwos (ISC DHCP makes sure of that). However, as I said, portqry probing port 53 says it's listening.

> portqry -n 192.168.1.6 -o 53

Querying target system called:

192.168.1.6

Attempting to resolve IP address to a name...

Failed to resolve IP address to name

querying...

TCP port 53 (domain service): LISTENING

Oddly still, server responds to queries on local host (from the server itself):

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @192.168.1.6 YYY +search
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23454
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;YYY.mydomain.tld.      IN      A

;; ANSWER SECTION:
YYY.mydomain.tld. 3600  IN      A       192.168.1.11

;; AUTHORITY SECTION:
mydomain.tld.    3600    IN      NS      DNS-SERVER.mydomain.tld.

;; ADDITIONAL SECTION:
DNS-SERVER.mydomain.tld. 3600  IN      A       192.168.1.6

;; Query time: 0 msec
;; SERVER: 192.168.1.6#53(192.168.1.6)
;; WHEN: Thu Feb 23 03:59:37 CST 2017
;; MSG SIZE  rcvd: 104

Netstat claims named is listening on all the usual ports/adresses:

~# netstat -tanpl | grep named
tcp        0      0 10.8.0.1:53             0.0.0.0:*               LISTEN      4074/named
tcp        0      0 192.168.1.6:53          0.0.0.0:*               LISTEN      4074/named
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      4074/named
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      4074/named

Any ideas?

Edit: by popular request here is the /etc/bind/named.conf.options

options {
    directory "/var/cache/bind";

    // If there is a firewall between you and nameservers you want
    // to talk to, you might need to uncomment the query-source
    // directive below.  Previous versions of BIND always asked
    // questions using port 53, but BIND 8.1 and later use an unprivileged
    // port by default.

    // query-source address * port 53;

    // If your ISP provided one or more IP addresses for stable
    // nameservers, you probably want to use them as forwarders.
    // Uncomment the following block, and insert the addresses replacing
    // the all-0's placeholder.

    // forwarders {
    //      0.0.0.0;
    // };
    query-source address * port 53;
    auth-nxdomain no;    # conform to RFC1035
    listen-on-v6 { none; };
    forwarders {
            8.8.8.8;
            8.8.4.4;
            };
    forward first;
};

Answer 1

Ok, so thanks to jscott and stoned, for posterity, if anyone else needs to troubleshoot situation like this here are proposed steps:

1. Make sure you've opened port 53 on both TCP and UDP. Port scanning UDP ports is tricky so make doubleplus sure that UDP 53 shall, indeed, pass.
2. You should have allow-query { any; }; in global section of your named configuration file (/etc/bind/named.conf.options on Debian/Ubuntu)
3. Check your config syntax, on systemd machines you can use systemctl status bind9 and, depending on how logging of bind is setup, journalctl -xe -u bind9 to see if the daemnon started.
4. Test resolving from both the bind host and multiple machines.