Just a remark...
I wouldn't demonize DNS Rebind Protection as such - it's a security feature (click for more).
DNS Rebind Protection is indeed a useful means against a certain type of attack against your network, namely DNS Rebind, where a foreign public DNS server has been compromised and would answer DNS requests for certain public domains malicioulsy with a local IP address in order to snoop your network for further angle's of attack or even to deliver harmful content that appears to be coming from a trusted source.
Your router will therefore discard any DNS answers received from a public DNS server that contains a local IP address.
That's a good thing, generally.
What makes this a hassle is that each router model and even firmware version exhibits a different behaviour for DNS Rebind Protection, and may or may not offer ways of configuring it, either globally or specifically for a device (click for more).
Your router will likely consider any of its configured upstream DNS servers as being of public (=foreign) origin, regardless of that DNS servers actual IP address allocation.
This is not a misbehaviour of your router per se, just a security precaution.
If changing your upstream DNS servers is your only option of injecting Pi-hole into your network, then you need to disable Rebind Protection for Pi-hole.
Your router may also treat local DNS servers as defined within its DHCP settings as foreign, but may or may not respect local IP addresses as exempted automatically.
Hence, it would depend on your router's model and firmware version whether DNS Rebind Protection will discard DNS answers with local IPs.
If so, you also need to disable Rebind Protection for Pi-hole.
Some routers will allow you to define exemptions from DNS Rebind protection (e.g. by putting pi.hole or its IP address on an exemption list, which would be the preferred way) or to disable it completely, either locally (i.e. for DNS servers in your local network, which is OK as well) or globally (which I would only consider as a last resort, as this will leave you open to DNS Rebind attacks).
Why won't Pi-hole work with DNS rebind protection enabled? contains a few examples for configuring exemptions.
Note that some routers require a full restart to activate those settings.
Yet in all cases, DNS Rebind Protection would affect both UDP and TCP protocol DNS answers.
In contrast to this, the behaviour that your setup was showing - treating UDP different from TCP - is definitely dodgy.
I wouldn't be a 100% sure whether this is accountable to a bad DNS Rebind Protection implementation, but I am glad you were able to resolve this.