Seems weird to me, the router would need to do deep packet inspection of DNS and selectively block specific ones. It feels more like you’ve set up your DNS to do forwarding instead of resolution. Can you post a network diagram and the DNS config?

Do tcpdump host $server instead. Otherwise you will only see the request (the response goes to a different port).

Just to be sure you do dig A @server $domain (with the “A”) and can confirm the following

SERVER is your server

;; ANSWER SECTION is empty (or doesn’t exist)

;; AUTHORITY SECTION mentions your local DNS server

Also check

dig NS @server $domain

Is your server in the answer section?

Here is how I would diagnose (I’m assuming you have Linux / WSL on a client)

1. Check the DNS record is actually set (yes do it again)
2. Do these steps on the client:
3. dig $domain check which server answered
4. dig a $domain should give a record
5. dig a $domain @server to make sure you’re querying the right server

If none work, probably network issue (DNS boind to wrong IP, firewall, etc)

If 3 and 5 work but 4 doesn’t, your DNS isn’t authorative.

If only 5 works DNS settings on the client is wrong.