Bind not forwarding query after upgrade from 9.11 to 9.16

domain-name-system bind

The actual problem is unclear from the question, but what is clear is that you have trouble with your logging configuration in particular and troubleshooting in general.
I'll focus on those aspects instead as the actual problem is quite possibly trivial once you can see the log.

Logging

The way your logging configuration is overridden is very likely the reason why cannot find the problem.

Even just going back to the default logging behavior (ie, if you were to rip out the whole logging part from your config) you should have an acceptable baseline in terms of at least basic troubleshooting.

To make your current config better, I would strongly suggest also sending the default category (catches all categories that you have not created specific configuration for) somewhere.
You are currently throwing away most types of log messages (everything but update, security and queries).
I would expect that for instance the resolver or network categories could be relevant to the problem, but as I noted default would catch "everything else" so that is probably a better idea than starting to guess from the quite long list of categories.

For troubleshooting it can in also sometimes be useful to start BIND with named -g (starts named in the foreground, with log output in the terminal), but I suggest fixing the logging configuration regardless.

Configuration/data validity

If there was a problem in this regard it should show in the log (after the fix noted above!), but there is also tooling specific for this purpose.

Something like

named-checkconf -zj

would be helpful for a baseline check that the config + data is "ok" (checks that config+zones are possible to load, not necessarily good).

Other configuration problems, unlikely to be related to the problem at hand

There are also some entries in the configuration in the question that just seem really bad. Unless there really is some good reason for these, I would strongly suggest removing them:

auth-nxdomain yes;

Forces BIND to send incorrect NXDOMAIN responses for non-authoritative NXDOMAIN responses. Why would you want this?

query-source address * port 53;

Forces the source port to be 53 for outbound queries, while the only really acceptable practice (and default) is to use randomization from a large span of ports. Your config opens up for spoofed responses abuse.

dnssec-validation no;

Disables DNSSEC validation, further opening up for abuse.

Related

How do I create a ec2 launch template that automatically assigns an ipv6 address?
How do I replicate a Cinnamon window manager configuration?
ZFS data lost after a rollback happening on reboot
Connecting to VPC internal services from Google Cloud Shell
How to fix this error (querySelector is used): Cannot read properties of undefined (reading 'style') at showSlides
Convert list to list of lists
Async method call from ThreadPool thread deadlocks
Center Expanded ListView inside Column Flutter
Rolling count of IDs over time frame with condition
How to cofigure nginx to serve a pdf file?
Why place of Mem[MA] in MB then copy from MB to IR rather than going straight from Mem[MA] to IR?
Why does this dplyr filter not work in shiny, but works fine when run without shiny?