DNS lookups fail all zones return ;; connection timed out; no servers could be reached

Im running Debian GNU/Linux 7.8 (wheezy) with the latest version of ISPConfig 3.0.5.4p5. Server has 2 interfaces.. eth0 is facing the internet and eth1 is facing an internal network. Machines has 5 ip's assigned to eth0 and 2 ip's assigned to eth1. The system has been up and running without issues now for several years, updated to wheezy when it became stable and up until a few days ago have not had any issues.
Running netstat -tuanp shows that all internal ip's and external ip's should be bound and listening for connections all looks at it should be.
Running dig I get this when using localhost (i'm ssh'd in)
dig +trace +additional @localhost SOA

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +trace +additional @localhost SOA
; (2 servers found)
;; global options: +cmd
;; connection timed out; no servers could be reached

I get the same thing when I query via the outside IPs


However if I query either of the internal IP's it works

server1:/var/log/ispconfig/httpd$ dig +trace +additional 192.168.0.2 SOA

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +trace +additional 192.168.0.2 SOA
;; global options: +cmd
. 516687 IN NS h.root-servers.net.
. 516687 IN NS d.root-servers.net.
. 516687 IN NS e.root-servers.net.
. 516687 IN NS l.root-servers.net.
. 516687 IN NS m.root-servers.net.
. 516687 IN NS b.root-servers.net.
. 516687 IN NS a.root-servers.net.
. 516687 IN NS f.root-servers.net.
. 516687 IN NS k.root-servers.net.
. 516687 IN NS c.root-servers.net.
. 516687 IN NS j.root-servers.net.
. 516687 IN NS g.root-servers.net.
. 516687 IN NS i.root-servers.net.
a.root-servers.net. 516708 IN A 198.41.0.4
a.root-servers.net. 603087 IN AAAA 2001:503:ba3e::2:30
b.root-servers.net. 516708 IN A 192.228.79.201
b.root-servers.net. 603087 IN AAAA 2001:500:84::b
c.root-servers.net. 516708 IN A 192.33.4.12
c.root-servers.net. 603087 IN AAAA 2001:500:2::c
d.root-servers.net. 516708 IN A 199.7.91.13
d.root-servers.net. 603087 IN AAAA 2001:500:2d::d
e.root-servers.net. 516708 IN A 192.203.230.10
f.root-servers.net. 516708 IN A 192.5.5.241
f.root-servers.net. 603087 IN AAAA 2001:500:2f::f
g.root-servers.net. 516708 IN A 192.112.36.4
h.root-servers.net. 603087 IN A 128.63.2.53

Then it hangs for a long time before I get these last two lines...

;; Received 496 bytes from 192.168.0.2#53(192.168.0.2) in 104323 ms

. 0 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2015042501 1800 900 604800 86400
;; Received 106 bytes from 192.112.36.4#53(192.112.36.4) in 74 ms

Running named-checkzone against my zone files all checks out as it should but queries to either localhost and or the outside IP's all fail even though netstat -tuanp shows the service is bound to those ports. as seen below..
--snip--
udp 0 0 X.X.X.A:3103 75.75.75.75:53 ESTABLISHED 24545/named
udp 0 0 127.0.0.1:48847 127.0.0.1:53 ESTABLISHED 24907/dig
udp 0 0 X.X.X.A:57193 75.75.75.75:53 ESTABLISHED 24545/named
udp 0 0 X.X.X.B:28711 75.75.75.75:53 ESTABLISHED 24545/named
udp 0 0 X.X.X.A:53 0.0.0.0:* 24545/named
udp 0 0 X.X.X.B:53 0.0.0.0:* 24545/named
udp 0 0 X.X.X.C:53 0.0.0.0:* 24545/named
udp 0 0 X.X.X.D:53 0.0.0.0:* 24545/named
udp 0 0 X.X.X.E:53 0.0.0.0:* 24545/named
udp 0 0 192.168.1.2:53 0.0.0.0:* 24545/named
udp 0 0 192.168.0.2:53 0.0.0.0:* 24545/named


Here is my named.conf
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
--/snip--
contents of /etc/bind/named.conf.options
--snip--
acl "trusted" {
192.168.1.0/16;
X.X.X.A/29;
localhost;
localnets;
};

// added above lines attempting to resolve dns issue 20150425

options {
directory "/var/cache/bind";

// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.

forwarders {
8.8.8.8;8.8.4.4;75.75.75.75;
};

auth-nxdomain yes; # conform to RFC1035
listen-on-v6 { ::1; };
listen-on { any; };
allow-recursion { trusted; };
allow-query-cache { trusted; };
// changed above line to all from trusted testing dns issue of 20150425 failed so switched back to trusted.
empty-zones-enable no;

};
--/snip--

So summarizing again. queries to inside IP's are working but queries to either localhost or outside IP's timeout each time.

 

Resolved issue... Somehow filewall is picking up weird entries for source 0.0.0.0 upon removing that dns queries began working but nothing else was being affected... saw http requests imaps and smtps connections working as expected but dns failed... still find it weird but its working now.