Is the device you're using for this test on the same VLAN / Subnet as your PiHole?

Yes, only LAN1 is setup so far. Perhaps I don't understand how it's meant to work.

If I set the DNS servers for LAN1 as Google and then also set conditional forwarding to Google, but then do a DNS lookup targeting the PiHole, the queries still hit the PiHole. I'd have thought the 2865 should proxy it to Google?

If I do a DNS lookup specifying that the DNS server is a WAN address (but actually it isn't a DNS server) then it does reply (presumably as the 2865 forwarded it to Google). So it seems like it only works if the forwarded DNS is remote?

I might see if I can work out the firewall port 53 rule instead.

I know I'm a bit late to this discussion, but it seems the same or very similar to the issue I'm getting and wondered if you could share any advice / explain the solution to me.

I am trying to ensure any hard-coded DNS is redirected through my pi-hole. On my Vigor2762ac Applications > LAN DNS / DNS Forwarding I set up a profile for DNS forwarding for full wildcard domain to the IP of my pi-hole. With that enabled the pi-hole gets flooded with requests from the router (> 1000 p/m) and throttles it. Outlook on my desktop reports it can't connect to the exchange server, Microsoft Teams reports itself as offline and my Android phone says it's connected to my WiFi but with no internet access. So it seems that maybe I'm partially successful in forcing the hard-coded DNS, but it causes enough other issues that it's not the solution. Blocking port 53 on the firewall feels like it will also just break stuff.
Most articles I've seen suggest a NAT to redirect as that would appear as though the hard-coded DNS was responding though it would in fact be being handled by the pi-hole.

From what I've understood of this post the Vigor2762 doesn't support the redirecting approach and instead I'd need to set up hosts that map 8.8.8.8 to my pi-hole, and I guess I could do that for each hardcoded DNS (but besides the google ones I don't know many others). Does that sound like a solution?

ByBoxSimon wrote:
Blocking port 53 on the firewall feels like it will also just break stuff.

You'd only be stopping LAN clients from connecting willy-nilly to external DNS servers. Add a default block rule , then a rule to allow only your 'Pi-hole' access. (The Vigor itself won't be affected by this - it's the other side of the firewall).

Most articles I've seen suggest a NAT to redirect as that would appear as though the hard-coded DNS was responding though it would in fact be being handled by the pi-hole.

Intriguing, but my view is that clients on my network must use my settings :twisted:

From what I've understood of this post the Vigor2762 doesn't support the redirecting approach and instead I'd need to set up hosts that map 8.8.8.8 to my pi-hole, and I guess I could do that for each hardcoded DNS (but besides the google ones I don't know many others).

Well I made no real sense out of the lan-forwarding stuff and just used a version of @ Markvoip 's solution (though I did it on Windows Server).