RESOLVED: this is not a Peplink issue at all.
It turns out that port 53 is special. At times, something between the nmap requestor and the target router is intercepting the nmap port probe on port 53 and answering in the affirmative. The Peplink router never sees the port 53 probe. This was confirmed by running a full packet trace on a target Peplink router and making an nmap port test of ports 52, 53 and 54. Wireshark showed the incoming requests for port 52 and 54 but not for 53.
Live and learn. Many thanks for the assistance from Peplink.
FYI: Blog with details here