Does your router have rebind protection? If that is present and enabled then it's possible that the router is dropping packets as it sees this as an attempt to hijack the network.
What is your gateway set to? What does ip -4 route show? What does ip -4 route get 10.20.1.1 show?
That's what I'm thinking, it's definitely not an option to disable that's why I thought dns relay may have something to do with it. Secondly, I wonder if since I'm on a foreign subnet to my router it's blocking 10.20 thinking it's a spoofed IP. To correct myself, I do not have connectivity from other devices either when I set pi as dns in the router. Only when I don't goes pi respond to queries.
root@DietPi:~# ip -4 route get 10.20.1.1
10.20.1.1 dev eth0 src 10.20.1.65
cache
root@DietPi:~# ip -4 route get 8.8.8.8
8.8.8.8 via 10.20.1.1 dev eth0 src 10.20.1.65
cache
Everything points to this not being a Pi-hole issue and one with either the Pi device or the router. I think you may have better help with asking the DietPi community for further assistance.
I guess I can live with having to set it statically on client devices and set 1.1.1.1 in the router. Pi still answers queries this way. And dnssec is working for statically set devices.