There seems to have been a change in the behaviour of DNS between turris 5.1.x and 5.2. But right now I cannot pinpoint the change. Thus I share my thoughts about this change here.
In Turris 5.1.x I had servers running outside of my lan and inside of my lan, both available under the same domain name. The servers inside my lan are added from the DHCP table and this custom.conf of kresd:
(I substituted my domain with example.com in this example)
Now (Turris 5.1.x) I can reach my webmailer in the outside world under webmailer.example.com as well as my internal NAS which does only exist in LAN by it’s domain name nas.example.com.
In turris 5.2 this does not work anymore. It seems like the meaning or interpretation of “local domain” and “local server” (as configured in /etc/config/dhcp) has changed.
For instance:
If I specify lan.example.com as my local server a ping to nas gets extended to nas.lan.example.com despite of the local domain having the value example.com
If I leave local server empty, a ping to nas gets extended to nas.example.com. This is the expected behaviour. But queries to the domain lan.example.com would now be forwarded to the outside world (at least according to the documentation)
So, I assume the value in local server somehow interrupts with local domain.
I think all your blocking issues are with dnsmasq configuration which I do not know well, but let me post a couple other minor points that I’ve noticed:
Using port 5353 this way feels… risky to me. It’s allocated for the mDNS protocol (e.g. avahi) that is relevant to LAN and even has very similar wire-format, but it’s a different protocol.
The kresd configuration hack with deletion and reinsertion shouldn’t be needed anymore (for a very long time, since TOS 4.0.0 in most cases, 5.0.0 possibly in some others).
I removed the custom configuration, and rebooted the router as well as the client. It suddenly works as expected again. I have no idea what caused this hickup. Maybe it was just to late at night for me.