The issue I am facing:
I have two Raspberry Pi 3b devices, both running the latest Raspbian Lite. I have install PiHole and PiVPN on both, and both were working fine I have DoH running with a local cloudflared on each box and I have installed a number of extra adlists. All working great.
On one device I have installed and configured hostapd to provide a wireless access point for ad-blocking, as my ISP-provided router is very basic and doesn't allow me to disable DHCP or alter the DHCP-provided DNS servers. To avoid stepping on the toes of PiHole I have added a new configuration in /etc/dnsmasq.d/10-hostapd.conf;
interface=wlan0
dhcp-range=192.168.100.100,192.168.100.200,24h
dhcp-option=6,192.168.0.251,192.168.0.252
domain=wlan
address=/gw.wlan/192.168.100.1
dhcp-leasefile=/etc/pihole/192-168-100-0.leases
I have also added a NAT rule for traffic coming from the new wireless network. I copied the NAT rule for the PiVPN Wireguard configuration, which seemed sensible;
➜ ~ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
➜ ~ sudo iptables -vnt nat -L
Chain PREROUTING (policy ACCEPT 2008 packets, 182K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 1617 packets, 143K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 2242 packets, 164K bytes)
pkts bytes target prot opt in out source destination
287 18366 MASQUERADE all -- * eth0 192.168.100.0/24 0.0.0.0/0
1 64 MASQUERADE all -- * eth0 10.6.0.0/24 0.0.0.0/0 /* wireguard-nat-rule */
0 0 MASQUERADE all -- * wlan0 10.6.0.0/24 0.0.0.0/0 /* wireguard-nat-rule */
Chain OUTPUT (policy ACCEPT 2242 packets, 164K bytes)
pkts bytes target prot opt in out source destination
When testing I found the following;
Devices connected to the new Wireless Access Point can resolve DNS from 192.168.100.
Devices connected to the Wireguard VPC cannot resolve DNS from 10.6.0.1
Devices on the original network (192.168.0.0/24) cannot resolve DNS from 192.168.0.251
From the rPi itself I can successfully run dig against 127.0.0.1 (lo0) and 192.168.100.1 (wlan0) but not against 192.168.0.251 (eth0) or 10.6.0.1 (wg0)
I can curl the PiHole admin page against all the local IP addresses, so I don't think it's network-related. I noticed that the connections were timing out and thought it might be firewall-related, so I had a look at tcpdump and I can clearly see traffic is flowing both ways, but pihole-FTL is sending a Finished/Reset and closing the connection;
14:02:02.814716 IP 192.168.0.252.50031 > 192.168.0.251.53: Flags [S], seq 2492019295, win 64240, options [mss 1460,sackOK,TS val 2982767275 ecr 0,nop,wscale 7], length 0
14:02:02.814920 IP 192.168.0.251.53 > 192.168.0.252.50031: Flags [S.], seq 239040519, ack 2492019296, win 65160, options [mss 1460,sackOK,TS val 1947561771 ecr 2982767275,nop,wscale 7], length 0
14:02:02.815537 IP 192.168.0.252.50031 > 192.168.0.251.53: Flags [.], ack 1, win 502, options [nop,nop,TS val 2982767276 ecr 1947561771], length 0
14:02:02.815745 IP 192.168.0.252.50031 > 192.168.0.251.53: Flags [P.], seq 1:59, ack 1, win 502, options [nop,nop,TS val 2982767276 ecr 1947561771], length 58 17434+ [1au] A? theregister.com. (56)
14:02:02.815818 IP 192.168.0.251.53 > 192.168.0.252.50031: Flags [.], ack 59, win 509, options [nop,nop,TS val 1947561772 ecr 2982767276], length 0
14:02:02.816411 IP 192.168.0.251.53 > 192.168.0.252.50031: Flags [F.], seq 1, ack 59, win 509, options [nop,nop,TS val 1947561773 ecr 2982767276], length 0
14:02:02.816535 IP 192.168.0.251.53 > 192.168.0.252.50031: Flags [R.], seq 2, ack 59, win 509, options [nop,nop,TS val 1947561773 ecr 2982767276], length 0
I've tried changing the interface binding settings in the PiHole Admin console, but "All Interfaces" and "All Interfaces, All Origins" show the same behaviour.
I have also confirmed that removing the additional config file from /etc/dnsmasq.d/ fixes the problem, but then my wireless network has no DHCP.
So...any ideas how I can fix this? 
Details about my system:
➜ ~ uname -a
Linux raspberry01 5.10.17-v7+ #1421 SMP Thu May 27 13:59:01 BST 2021 armv7l GNU/Linux
➜ ~ cat /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"
NAME="Raspbian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"
➜ ~ pihole -v
Pi-hole version is v5.3.1 (Latest: v5.3.1)
AdminLTE version is v5.5 (Latest: v5.5)
FTL version is v5.8.1 (Latest: v5.8.1)
What I have changed since installing Pi-hole:
- Configured DoH using
cloudflared - Installed PiVPN
- Installed HostAPD