Here is what I think is happening:
You have, on your Arris cable modem, configured port forwarding for UDP port 53 to 192.168.0.2 (your pi)
You have configured, on your Arris cable modem, configured DHCP to handout 192.168.0.1 as the gateway address for all clients.
When any system on your network is making a DNS request to 192.168.0.2 (your pihole), the request will go directly to the pi.
When any system on your network is making a request to any other resolver than your pihole it will use the known routes and send the request to the outside world, using the default gateway to reach the destination. This initial request never comes near the pihole. If this request is an UDP request, the port forward rule on your Arris cable modem will redirect the UDP packet to the pi (192.168.0.2) but if it is a TCP packet, the request will directly go to the resolver, specified in the request. DNS uses UDP and TCP as fallback.
Given your configuration, as far as I can see the details in the screenshot, I don't think your pi is making successful UDP DNS requests anymore, because the Arris modem always bounces them back, unless, you have something like dnscrypt-proxy running on your pi, witch doesn't use port 53 but 443, or any other method that makes the pi NOT use port 53.
All UDP port 53 packets are bounced back to the pi, even the packets from the pi.
All TCP port 53 packets are passing trough, without any interference.
What you are trying to achieve is typically configured on the firewall/router that is specified as the default gateway, so all packets are captured.
Such a rule is called a NAT rule and typically requires the following mandatory parameters:
- protocol: UDP/TCP (to redirect all DNS requests you need both)
- source address: all systems EXCEPT the pihole, unless your pihole doesn't use port 53 to resolve DNS requests (dnscrypt-proxy or equivalent)
- source port: any
- destination: the address of the servers you don't want to contact (8.8.8.8)
- destination port: 53
- redirect target IP: the address of your pihole
- redirect target port : 53
You may think the solution is to change the port forwarding to UDP/TCP but this is NOT the solution, you will expose the pihole to the public internet, witch is a very bad idea.
Again, I don't have an Arris cable modem, so I don't know what it does, but port forwarding rules are typically used to make a service in your local network available to the public.
Earlier (first reply to this topic) I referred a port scanner to test your exposure. Here is a different one, I wouldn't be surprised if you already have UDP port 53 exposed (bad idea), but again, I don't know what the Arris modem can and cannot do.
In conclusion, if you want to protect your network from the outside word, and use features such as NAT, you need a router/firewall such as pfsense placed between the cable modem and your network, unless of course the Arris modem is already capable of doing this.
This is all based on the screenshots and comments you posted. If your Arris cable modem does something else than I would expect from a cable modem, it might be incorrect.