Sorry @Rudy – I kind of believe stego – he seems to know what he is talking about. Personally, I haven’t needed to tackle this particular issue - so, I will be of no help to you. I do wish you luck in your adventure though.
Yikes, that is quite the predicament. Other than Peplink adding an option to “exclude” an IP from the proxy and forwarding (which is probably the cleanest way and most likely shouldn’t be that difficult to implement). There are probably some other ways that they could implement it under the covers (unbeknownst to the users)
Here are a few “out of the box” kind of ideas. forewarning - none of them are “good” or practical. You seem extremely knowledgeable and have most likely already considered them - but, just in case…
Would it be possible to create a point to point VPN tunnel (or any other tunnel) between the RaspBerry Pi and somewhere else on the internet? If so, you could configure the Pi to be the resolver for the B20X and point the Pi at the DNS resolver you want on the internet (ISP, google, etc). You would then need to configure your clients to use the B20X as its DNS source (and the B20X always points to your Pi). Then you could proxy and forward again. The DNS requests from your Pi wouldn’t be “intercepted” due to it going through a tunnel. You would get your local resolver (which is where you are “blocking” access) and you would “catch” devices that change their DNS resolver (and enforce your “blocking”).
Another option would be to use the firewall to block all outbound UDP port 123 traffic except from your Pi device. This is a bit “brute-ish” in my opinion but it probably would keep folks from changing their assigned DNS server settings. Name resolution would simply not work if they changed it to something other than your local resolver. Forcing unknown application failures may or may not be the “right” approach - but, it is definitely effective.