Make Bind DNS server to request only root DNS servers of IANA website

Question

I want my DNS server to querie everytime the root DNS servers (available on IANA website). I have a pfsense that blocks everything except DNS to IP's mentionned in my root.hints file:

.                        3600000      NS    A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:ba3e::2:30
.                        3600000      NS    B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET.      3600000      A     199.9.14.201
B.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:200::b
.                        3600000      NS    C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
C.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2::c
.                        3600000      NS    D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET.      3600000      A     199.7.91.13
D.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2d::d
.                        3600000      NS    E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
E.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:a8::e
.                        3600000      NS    F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2f::f
.                        3600000      NS    G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
G.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:12::d0d
.                        3600000      NS    H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET.      3600000      A     198.97.190.53
H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::53
.                        3600000      NS    I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
I.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fe::53
.                        3600000      NS    J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:c27::2:30
.                        3600000      NS    K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fd::1
.                        3600000      NS    L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
L.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:9f::42
.                        3600000      NS    M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
M.ROOT-SERVERS.NET.      3600000      AAAA  2001:dc3::35

I do ~$ rndc flush and # systemctl restart bind9,and I see two successful queries to 192.33.4.12:53 (C.ROOT-SERVERS.NET in my root.hints file) in UDP.

But then my dig does't work:

root@bind9:/usr/share/dns# dig example.com
;; communications error to 127.0.0.1#53: timed out

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 14278
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 5ea99a927127d0c8010000006605afa9e4b3261074d4217d (good)
;; QUESTION SECTION:
;example.com.                   IN      A

;; Query time: 4996 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Mar 28 17:58:01 UTC 2024
;; MSG SIZE  rcvd: 68

My logs mentions almost no stuff:

==> queries.log <==
28-Mar-2024 17:57:51.775 client @0x70394e7a1b68 127.0.0.1#41982 (example.com): query: example.com IN A +E(0)K (127.0.0.1)
28-Mar-2024 17:57:56.779 client @0x70394e7a2968 127.0.0.1#46681 (example.com): query: example.com IN A +E(0)K (127.0.0.1)

==> default.log <==
28-Mar-2024 17:58:01.776 client @0x70394e7a1b68 127.0.0.1#41982 (example.com): query failed (timed out) for example.com/IN/A at query.c:7824
28-Mar-2024 17:58:01.776 client @0x70394e7a2968 127.0.0.1#46681 (example.com): query failed (timed out) for example.com/IN/A at query.c:7824

And in my firewall logs I can see 14's UDP requests on port 53 that got blocked:

192.54.112.30:53
192.12.94.30:53 
192.52.178.30:53
192.31.80.30:53 
192.55.83.30:53 
192.5.6.30:53   
192.41.162.30:53
192.33.14.30:53 
192.35.51.30:53 
192.26.92.30:53 
192.43.172.30:53
192.42.93.30:53 
192.48.79.30:53 
192.52.178.30:53

Those are all "VGRSGTLD-XX" from VeriSign Global Registry Services (VGRS).

Here is my named.conf.options:

acl "trusted" {
    <private_range>/24;
    127.0.0.1;
};


options {
        directory "/var/cache/bind";
        dnssec-validation auto;
        listen-on port 53 { localhost; <private_IP_of_my_DNS>;};
        recursion yes;
        allow-query { localhost; <private_range>/16; };
        allow-recursion { trusted; };
        allow-transfer { none; };
        auth-nxdomain no;    # conform to RFC1035
};

Here is named.conf.default-zones that mentions where to find root.hints file:

zone "." {
    type hint;
    file "/usr/share/dns/root.hints";
};

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

Did I miss something ?