"dig domain_name" is working only locally. What's wrong with configuration?

Question

I have configured bind9 on ubuntu 16.04 server, on our local network.

dig legalact.uz returns follows:

; <<>> DiG 9.10.3-P4-Ubuntu <<>> legalact.uz
;; global options: +cmd
;; Got answer:x
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27505
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;legalact.uz. IN A

;; ANSWER SECTION:
legalact.uz. 604800 IN A 46.255.68.41

;; AUTHORITY SECTION:
legalact.uz. 604800 IN NS ns.legalact.uz.

;; ADDITIONAL SECTION:
ns.legalact.uz. 604800 IN A 46.255.68.41

;; Query time: 0 msec
;; SERVER: 192.168.1.107#53(192.168.1.107)
;; WHEN: Mon Jan 16 10:30:44 +05 2017
;; MSG SIZE rcvd: 89

But if I try dig legalact.uz from another network, it returns following answer:

; <<>> DiG 9.10.3-P4-Ubuntu <<>> leagalact.uz
;; global options: +cmd
;; connection timed out; no servers could be reached

dig @46.255.68.41 legalact.uz returns correct answer:

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @46.255.68.41 legalact.uz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40237
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;legalact.uz. IN A

;; ANSWER SECTION:
legalact.uz. 604800 IN A 46.255.68.41

;; AUTHORITY SECTION:
legalact.uz. 604800 IN NS ns.legalact.uz.

;; ADDITIONAL SECTION:
ns.legalact.uz. 604800 IN A 46.255.68.41

;; Query time: 48 msec
;; SERVER: 46.255.68.41#53(46.255.68.41)
;; WHEN: Mon Jan 16 10:51:25 +05 2017
;; MSG SIZE rcvd: 89


Here is my configuration files:

named.conf
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

named.conf.local
zone "legalact.uz" {
type master;
file "/etc/bind/zones/db.legalact.uz";
allow-query { any; };
};

zone "68.255.46.in-addr.arpa" {
type master;
file "/etc/bind/zones/db.46";
allow-query { any; };
};

named.conf.options
options {

directory "/var/cache/bind";

forwarders {
8.8.8.8;
8.8.4.4;
};

listen-on { any; };

dnssec-enable yes;
dnssec-validation yes;
recursion yes;
forward only;
auth-nxdomain yes; # conform to RFC1035
listen-on-v6 { any; };
allow-query { any; };
};

db.46
$TTL 604800
@ IN SOA ns.legalact.uz. admin.legalact.uz. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns.legalact.uz.
41 IN PTR legalact.uz.

db.legalact.uz
$TTL 604800
@ IN SOA ns.legalact.uz. admin.legalact.uz. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL

;dnsserver
@ IN NS ns.legalact.uz.
@ IN A 46.255.68.41
ns IN A 46.255.68.41

Answer 1

If we ask the UZ servers who is authoritative for legalact.uz, they say...

sarnath:~% dig ns legalact.uz @ns.uz.

; <<>> DiG 9.11.0-P2 <<>> ns legalact.uz @ns.uz.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11032
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;legalact.uz.           IN  NS

;; AUTHORITY SECTION:
legalact.uz.        14400   IN  NS  ns1.activeby.net.
legalact.uz.        14400   IN  NS  ns2.activeby.net.

;; Query time: 90 msec
;; SERVER: 91.212.89.8#53(91.212.89.8)
;; WHEN: Mon Jan 16 09:14:18 CET 2017
;; MSG SIZE  rcvd: 88

Looking closer at the two activeby.net servers, they give SERVFAIL for your domain name and they don't seem to have the IP addresses you use in your configuration example. So it looks like you need to contact your registrar to have them update the delegation information at the UZ level. Until your own servers are pointed out there, it doesn't matter how well you configure your name servers, since nobody will know that they should talk to them.