It's not entirely clear how exactly your different configuration of NAS, router and Pi-hole work together and what exactly those screens would convey. I am not familiar with your router or your NAS at all, so you should consider consulting their respective documentation and support for issues specific to them.
If I read your configuration correctly, your router is distributing its own internal DNS server to clients via DHCP, not Pi-hole, and you've configured your router to use Pi-hole as its upstream DNS resolver on the WAN side.
A client's DNS resolution chain would thus be
client -> router - > Pi-hole -> Pi-hole's upstream DNS
That is a valid configuration, but note that you won't be able to attribute DNS requests to individual clients in Pi-hole's Query Log, as all DNS requests originate from your router.
It is quite possible that your observation is caused by your problematic devices trying to access a domain that is blocked by Pi-hole. How do I determine what domain an ad is coming from? may help you to find those domains.
It seems you tried to address your issue by configuring your router to allow your problematic devices to use Google for DNS instead of your router.
In general, that should work as well, as that would remove Pi-hole from their DNS resolution chain altogether: client -> 188.8.131.52.
But you mention you have or had configured a forceful redirection of port 53 DNS traffic in your router. In that case, while your client would still send their DNS requests to
184.108.40.206, your router would intercept and redirect them, so you'd end up with:
client -> 220.127.116.11 -> router (intercepted) -> router's upstream, i.e. Pi-hole -> Pi-hole's upstream DNS
Obviously, this would counteract your intention of having those devices by-pass Pi-hole.
There are possibly several approaches to address this.
One would be to switch your router's upstreams from Pi-hole to a public DNS resolver of your choice, and have your router distribute Pi-hole as its only DNS local DNS resolver via DHCP while keeping your router's extras for your problematic devices.
That should result in the following DNS resolution chains:
client -> Pi-hole -> Pi-hole's upstream DNS
clients tagged to by-pass Pi-hole:
client -> 18.104.22.168
If you stick with forcefully redirecting your port 53 DNS traffic, you should exempt Pi-hole from that rule.
Any client by-passing Pi-hole, tagged as allowed or not, would then be subject to the following DNS chain:
client -> public DNS resolver, e.g. 22.214.171.124 -> router (intercepted) -> router's upstream (public DNS resolver)
I can't advise on the actual configuration settings of your router.
You should refer to your router's documentation and support for details.