容器上的 bind9 拒绝来自 docker 翻译端口的查询

我在跑步bind9来自 Ubuntu 容器的 DNS 服务。UDP 端口 53 在主机 IP 上发布。直接指向容器 IP（来自主机）的查询会收到答案。但是，指向主机 IP 的查询会返回 REFUSED 状态。

部署容器所用的命令：

docker run -dit --net=new -p 192.168.37.152:53:53/udp --name 99 ubuntu

容器中命名的配置文件：

$ docker exec -it 99 cat /etc/bind/named.conf.options
options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        // };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation auto;

        recursion yes;
        listen-on-v6 { any; };
        forwarders { 8.8.4.4; };
        listen-on { any; };
};

容器的 IP 地址：

$ docker exec -it 99 ip a | grep inet\
    inet 127.0.0.1/8 scope host lo
    inet 10.1.1.2/24 brd 10.1.1.255 scope global eth0

指向容器 IP 时的 DiG 输出：

$ dig @10.1.1.2 adobe.com

; <<>> DiG 9.11.3-1ubuntu1.12-Ubuntu <<>> @10.1.1.2 adobe.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23978
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 095943567db30380010000005f24e59b887572779e0e50ab (good)
;; QUESTION SECTION:
;adobe.com.                     IN      A

;; ANSWER SECTION:
adobe.com.              7       IN      A       192.147.130.204
adobe.com.              7       IN      A       193.104.215.58

;; Query time: 96 msec
;; SERVER: 10.1.1.2#53(10.1.1.2)
;; WHEN: Sat Aug 01 03:46:35 UTC 2020
;; MSG SIZE  rcvd: 98

指向主机 IP 时的 DiG 输出：

$ dig @192.168.37.152 adobe.com

; <<>> DiG 9.11.3-1ubuntu1.12-Ubuntu <<>> @192.168.37.152 adobe.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 38030
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: ba6997f5b02fd9a4010000005f24e5cee0bf9a6082cede1e (good)
;; QUESTION SECTION:
;adobe.com.                     IN      A

;; Query time: 0 msec
;; SERVER: 192.168.37.152#53(192.168.37.152)
;; WHEN: Sat Aug 01 03:47:26 UTC 2020
;; MSG SIZE  rcvd: 66

为什么对主机 IP 的查询会返回REFUSED响应？