I cannot see your firewall rules, so I maybe on the wrong track here, but… It’s not really a good idea to be running a recursive name server that is open to the world (any;)
Your server is trying to resolve something for a client that could be anyone. This kind of error appears when the domain being looked up is unreachable or delegated to the wrong name servers.

If you are not able to block incoming requests from external sources in your firewall, you can do it in the bind config.

eg
allow-query-cache {
clients;
};

allow-transfer {
my_networks;
};

allow-recursion {
clients;
};
};

acl “clients” {

127.0.0.1;
::1;

//private
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;

//public
203.0.113.0/24;
198.51.100.0/24;
2001:db8::/32;
}

acl “my_networks” {
192.0.2.0/24;
}

Of course these kind of queries might still come from your “clients” anyway, but good practice is to not provide a open recursive name server unless you really mean too. see https://www.us-cert.gov/ncas/alerts/TA13-088A