I have a Bind DNS server that is the local production DNS server and a Windows 2008 R2 domain controller which provides DNS for a lab environment with the domain xyz.lab. I've configured the Bind DNS to forward DNS requests for the domain xyz.lab to the Windows DNS server with this config:

zone "xyz.lab" {
type forward;
forward only;
forwarders { x.x.x.x; };
};

zone "x.x.x.in-addr.arpa" {
type forward;
forward only;
forwarders { x.x.x.x; };
};

And Bind options are (the all_internal acl includes the subnets of both the production and lab networks as well as the loopback of the bind server):

allow-query { all_internal; };
allow-recursion { all_internal; };
allow-transfer { none; };
notify no;
minimal-responses yes;
version "unknown";

Unfortunately, when I do an nslookup or dig on the bind server for a host on the lab domain, the request times out. The logs on the Windows 2008 DNS server show it receiving the query and responding to it and a network packet trace shows the query responses arriving at the Bind DNS server.

The servers reside on the same switch with a router providing connectivity between the layer 3 subnets (production and lab are on different subnets) and there is a round trip time of between 3ms and 5ms on pings between the two servers, so I don't think there is an issue with latency causing a timeout of the query.

In summary a query-response arrives back at the Bind server and the nslookup/dig times-out. Why does the Bind DNS not seem to be doing anything with the query responses when it receives them?