Wish I could be definitive of the problem. When the dust settles a little, I'll undo some of the changes to see what breaks it again.
The overall problem is that I'm building a dedicated name server for my local network. That name server will talk via a VPN to the internet. The name server is built by using pihole-FTL as the internal network facing name server, (and address filter), with the outside facing name server being an instance of unbound, and an authoritative nameserver for the local network domains implemented by NSD.
All three nameservers are running on the Pi, the pihole-FTL server running on the eth0 interface, and the two other name servers running on virtual interfaces in the pi.
Internal name service requests are directed to the pihole-FTL server, which forwards unmatched names to the unbound server, which does a recursive name lookup on the internet. If that name lookup is for the "private" namespace for my network, that recursion reaches the name server that hosts the public DNS configuration for my network, which returns the ns record for the local domain, which is the IP address of the NSD instance, which responds with an authoritative response for the local name.
Since that returned ns record contains a private address, only valid within my network, only local systems can resolve names in that name domain.
The fundamental issue I've been struggling with is that dnsmasq/pihole-FTL is not really aimed at that sort of installation, by default it assumes that it's alone, and possibly directly internet connected. In that scenario open name server ports are a security issue, so as a security measure dnsmasq/pihole_FTL attempts to bind to all interfaces in the box, and actively discards name server queries from interfaces other than the one it is intentionally servicing.
So the game has been to find a configuration for pihole-FTL that respects the other two name servers on their virtual interfaces, but also avoids pihole-FTL detecting the interfaces already configured, spitting out its dummy and refusing to bind any interface at all.
I managed to get a a config for an unmodified version of dnsmasq that did as required fairly early in this saga, but the battle has been to get a config for pihole-FTL that functioned the same.
I've still more testing to do as I want to be able to start and stop any of the three name servers, and be able to restart them, ie not have pihole-FTL see the open DNS ports on those interfaces (when the appropriate name server is stopped) as a hazard and bind them itself.
After much help from deHakkelaar,I've found at least a config that meets my minimal requirement to use pihole-FTL.
Two commands that have proved invaluable are
sudo netstat -ltunp | grep ":53 "
That lists all the interfaces on the box, udp and tcp that have port 53 active, and which process is holding that port.
And a deHakkelaar special
sudo grep -v '^#\|^$' -R /etc/dnsmasq.* | sort
that finds all the commands in all the active pihole-FTL/dnsmasq config files. I'm still not sure I understand how it works completely, but it certainly does work, and well.
With the set up described above, I can now use the server command in nslookup, to route name requests to any of the three name servers, and see what each returns.
The pihole admin web interface now works mostly as expected, and I'm definitely filtering out adverts.
Harry