Thanks for the continued dialogue, I understand your point. However, prior to making the 192.168.8.x subnet, when everything was on the 192.168.7.x subnet, I had the same NAT redirect rule in place (but pointing to a host in the 7.x subnet) and dig was happy.
Can’t this be resolved via an outbound NAT rule? Also, because DNS is working ok, should I just ignore this error (and keep the NAT direct in place)?
I’m digging (no pun intended!) into this cause if the NAT redirect is causing underlying issues, then I’d like to find a resolution.
For additional context, the reason why I went down the route of setting up a secondary subnet is because with the previous setup (one subnet) all “rouge” redirected entries on the pihole logs appeared as if they were coming from the pfsense box vs the original host.
If there’s a way to actually retain the original hostname for the queries that are redirected, then I don’t need the second subnet at all.