I think I may have figured it out:
I found this when searching if IDS/IPS was turned on in UniFi.
Looks like they have their own Pi-Hole style blocking?
I'll try disabling that and see if it fixes my issue. I would 100% assume this is the problem since nothing else makes sense.
They have probably altered all UDP 53 traffic which is why DNSSEC doesn't have the issue; at least, that's what it says.
I had DNSSEC enabled in Pi-Hole though. It broke when trying to get local DNS names from the UniFi router, so I disabled it. Still, that's only recently. It was DNSSEC when I was having issues before.
If UniFi is blocking that stuff, that seems pretty intrusive. It's not just ads but trackers too?
And the DNS Shield part is just using Cloudflare security. What's that?
I turned off both and now it works:
$ nslookup click.redditmail.com
Server: UnKnown
Address: 192.168.6.1
Non-authoritative answer:
Name: thirdparty.bnc.lt
Address: 18.144.119.190
Aliases: click.redditmail.com
Ah. Once I disable DNS Shield and bring it back up, this makes a LOT more sense:
After enabling only one or the other, I found that the issue was the Ad Blocking setting. I went ahead and disabled it.
It's crazy they developed their own Pi-Hole. Not only did I have it turned on, but I had no clue. I must've clicked it one day and forgotten about it.
Looking through the logs, I can't even tell when I enabled it.