Comment 7 for bug 1787739

Ok, let's try again.

I have named.conf.options set like this in a bionic lxd container:
options {
 directory "/var/cache/bind";
 forwarders {
  1.1.1.1;
 };
 dnssec-validation auto;
 auth-nxdomain no; # conform to RFC1035
        listen-on { 10.0.100.137; };
};

10.0.100.137 is the container's eth0 address.

This works all the time:
ubuntu@bionic-bind9:~$ nslookup ubuntu.com - 10.0.100.137
Server: 10.0.100.137
Address: 10.0.100.137#53

Non-authoritative answer:
Name: ubuntu.com
Address: 91.189.94.40

Same with dnssec set to false.

Can you try with dig perhaps? I don't know how to enable debugging in nslookup (-deb or -d2 didn't change anything here).

Something like:
dig @127.0.0.1 +trace ubuntu.com

host also has some debugging available:
host -d ubuntu.com 127.0.0.1 <-- or the actual ip where bind is listening

I wonder if packets are getting truncated somehow, as you got an answer besides having a status of failure.