Configure bind9 to use Dnsmasq for local LAN names

I have a dnsmasq server (10.0.0.1) with knowledge of a hostnames and IP addresses for couple of local networks, say a Guest Wireless and Wired Networks. I also have a bind9 DNS running on a separate server (192.168.1.1), which is the authoritative DNS for the LAN. I'd like forward queries asked to the bind9 server to be resolved by the dnsmasq server. It would be acceptable if all the queries should share a common top-level domain, e.g. myhostname.lan, or myhostname.arpa, etc. What I have tried: I setup a "lan" zone with "masters" set to the dnsmasq server, similar to the setup in this article

zone "lan" 
  type slave;   
  masters { 10.0.0.225; };
};

However, this fails in a way similar to what is described in this forum question

==> /var/log/named/general.log  /var/log/named/xfer-in.log <==                                                                       12-Mar-2025 21:26:06.894 zone lan/IN: Transfer started.
12-Mar-2025 21:26:06.898 transfer of 'lan/IN' from 10.0.0.1#53: failed to connect: connection refused  12-Mar-2025 21:26:06.898 transfer of 'lan/IN' from 10.0.0.1#53: Transfer status: connection refused
12-Mar-2025 21:26:06.898 transfer of 'lan/IN' from 10.0.0.1#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.003 secs (0 bytes/sec) (serial 0)

I've also tried to simply set up 10.0.0.1 as a forwarder in the bind9 configuration:

...
forwarders {
	  10.0.0.1;
};
...

But I get bind9 errors of the form:

12-Mar-2025 21:13:45.884 zone lan/IN: refresh: unexpected rcode (REFUSED) from primary 10.0.0.1#53 (source 0.0.0.0#0)

I also tried simply adding 10.0.0.1 as a resolver in /etc/resolv.conf, but I still see those unexpected rcode errors. How can I set up bind9 to use my dnsmasq server at 10.0.0.1 to resolve DNS queries?