Bind not forwarding query after upgrade from 9.11 to 9.16
The actual problem is unclear from the question, but what is clear is that you have trouble with your logging configuration in particular and troubleshooting in general.
I'll focus on those aspects instead as the actual problem is quite possibly trivial once you can see the log.
Logging
The way your logging
configuration is overridden is very likely the reason why cannot find the problem.
Even just going back to the default logging behavior (ie, if you were to rip out the whole logging
part from your config) you should have an acceptable baseline in terms of at least basic troubleshooting.
To make your current config better, I would strongly suggest also sending the default
category (catches all categories that you have not created specific configuration for) somewhere.
You are currently throwing away most types of log messages (everything but update
, security
and queries
).
I would expect that for instance the resolver
or network
categories could be relevant to the problem, but as I noted default
would catch "everything else" so that is probably a better idea than starting to guess from the quite long list of categories.
For troubleshooting it can in also sometimes be useful to start BIND with named -g
(starts named in the foreground, with log output in the terminal), but I suggest fixing the logging configuration regardless.
Configuration/data validity
If there was a problem in this regard it should show in the log (after the fix noted above!), but there is also tooling specific for this purpose.
Something like
named-checkconf -zj
would be helpful for a baseline check that the config + data is "ok" (checks that config+zones are possible to load, not necessarily good).
Other configuration problems, unlikely to be related to the problem at hand
There are also some entries in the configuration in the question that just seem really bad. Unless there really is some good reason for these, I would strongly suggest removing them:
auth-nxdomain yes;
Forces BIND to send incorrect NXDOMAIN responses for non-authoritative NXDOMAIN responses. Why would you want this?
query-source address * port 53;
Forces the source port to be 53 for outbound queries, while the only really acceptable practice (and default) is to use randomization from a large span of ports. Your config opens up for spoofed responses abuse.
dnssec-validation no;
Disables DNSSEC validation, further opening up for abuse.