Hi @Jaywalker
Your PiHole is the resolver in that it intercepts DNS requests to apply its filtering. Anything on the blacklist is resolved to 127.0.0.1, which basically black holes the request.
But valid DNS requests are forwarded to your configured upstream Dns resolver. In this case you mention Quad9.
The issue you’re having is a streaming device seems to be bypassing your PiHole and using its own hard coded resolver. It’s very possible that’s the case.
I think the PiHole forum post stating to create a firewall rule for outbound DNS requests and log them was simply a diagnostic method of confirming whether or not the device is indeed using its own DNS resolver.
I wouldn’t deny the request otherwise it could break the streaming device internet access. But create an allow rule and log it.
You could also look at “active sessions” under the status tab and see if anything is currently using DNS services. Fire up your device and see if it pops up under DNS active sessions.
Coming back to your PiHole and DNS service forwarding and proxying. This is the only way to override any hardcoded DNS client request. Here’s another post from @MartinLangmaid that explains this concept further :
The thing is your DNS resolver needs to be on a WAN connection, not LAN. So pointing back to your PiHole won’t work.