Just wanted to let you know I somewhat found a solution and edited my post to reflect that.

I’ll check it out. Thanks!

Rootless podman. The plan is to eventually move WG into a container once I get it working, but it’s running on bare metal at the moment.

Nope. I can’t ssh in either.

I do see the request. I’m running it inside a container so all the clients show up as the container’s hostname.

Just one on the pihole box and using the local address of it for all LAN DNS.

It is in the DMZ. I also use the box for Jellyfin so I want it remotely accessible.

I just tried disabling it for a short while with the same result. It still gets blocked in the 10.14.0.* network.

Yes. And I set Pi-hole to respond to any interface. Plus, I can see the response being sent in Wireshark. It only gets blocked inside the wireguard interface.

No. I mean that my router doesn’t forward requests for port 53 to my server. My server’s firewall does allow access to port 53, and all my LAN devices are able to use it freely.

I am. Server IP is 192.168.1.xxx. DNS server is running on that machine. It already allows access from all interfaces. I just don’t have port 53 natted from my router to avoid creating an open resolver.

Look into Pi-hole. It’s an easy-to-setup DNS server which can run on a Raspberry Pi (or a Linux desktop/server if you have one.) You can then set your devices’ DNS servers to the local address where the Pi-hole is running. Since it would be running on your local network, any requests to it shouldn’t go through your ISP in the first place. I’d still recommend getting your own router anyways because this kind of ISP fuckery is more common than you’d expect. Plus, your exact configurations follow you anywhere you move. If you do end up getting one, set the local DNS server in the DHCP settings of your router to avoid having to set it on each device.