Additional Bind caching nameserver next to domain controllers

In an environment where I already have two domain controllers acting as name servers I would like to run the Bind cache server installed on Ubuntu 20.04.3 LTS to act as nameserver for specific hosts. Domain controllers use ISP DNS as forwarders.

I was using this tutorial: https://kifarunix.com/setup-caching-only-dns-server-using-bind9-on-ubuntu-20-04/

Ubuntu Server with Bind IP: 192.168.1.240, DC1: 192.168.1.180, DC2: 192.168.1.250

My /etc/bind/named.conf.options:

//DNS Server ACL
acl "trusted" {
        192.168.8.0/24;
};

options {
        directory "/var/cache/bind";

        recursion yes;
        allow-recursion { localhost; trusted; };
        listen-on port 53 { localhost; 192.168.1.240; };
        allow-query { localhost; trusted; };
        allow-transfer { none; };

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        //        0.0.0.0;
        // };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation auto;

        listen-on-v6 { none; };
};

My /etc/resolv.conf

nameserver 127.0.0.53
options edns0 trust-ad
search wielton.corp

Output of "systemd-resolve --status" on Bind server:

Global
       LLMNR setting: no
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
          DNSSEC NTA: 10.in-addr.arpa
                      16.172.in-addr.arpa
                      168.192.in-addr.arpa
                      17.172.in-addr.arpa
                      18.172.in-addr.arpa
                      19.172.in-addr.arpa
                      20.172.in-addr.arpa
                      21.172.in-addr.arpa
                      22.172.in-addr.arpa
                      23.172.in-addr.arpa
                      24.172.in-addr.arpa
                      25.172.in-addr.arpa
                      26.172.in-addr.arpa
                      27.172.in-addr.arpa
                      28.172.in-addr.arpa
                      29.172.in-addr.arpa
                      30.172.in-addr.arpa
                      31.172.in-addr.arpa
                      corp
                      d.f.ip6.arpa
                      home
                      internal
                      intranet
                      lan
                      local
                      private
                      test

Link 2 (ens160)
      Current Scopes: DNS
DefaultRoute setting: yes
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
  Current DNS Server: 192.168.1.180
         DNS Servers: 192.168.1.180
                      192.168.1.250
          DNS Domain: mydomain.name

I test bind from client in 192.168.8.0 subnet (added as trusted in named.conf.options). It is possible to resolve IP's and names of external domains (I suppose bind uses root hints to do that) but query for local domain ends with Non-existent Domain.

I left forwarders commented in named.conf.options but I see no difference when I uncomment forwarders and add DC1 and DC2 IP's there. When recursion is set to no external domains aren't resolved. Maybe there is something to do on domain controllers? "Enable BIND secondaries”?

Please advice.