Good job!
pi@noads:~ $ host pi.hole 52.214.17.59
;; connection timed out; no servers could be reached
Yeah I suspected something like this happening so wanted to make sure with the dig version, it really was dnsmasq answering and not some safety mechanism on the router like rebind protection:
This means processes/scripts/tasks/programs running on this VM that depend on DNS resolution will sometimes query Pi-hole's own DNS service on the loopback interface 127.0.0.1, and sometimes they will query the other DNS 172.31.0.2.
Nothing wrong whit that but prefered is to have all DNS queries run through 127.0.0.1.
Tip: if you default the router settings @ home, and only configure the upstream DNS resolver for the router (often called WAN DNS or something) to be that of the Pi-hole IP address (no secondary DNS!), the clients, through DHCP, will be configured to use the router for DNS resolution.
And in turn, the router will forward queries to Pi-hole to have them answered.
That way you have your router caching DNS queries on your local network resulting in less traffic to the (slower) internet.
Ps. if you fiddle with DHCP settings, always make sure the client DHCP leases get renewed.
Disconnect & reconnect network on the clients or reboot them.