I’m all over the place when it comes to DNS solutions. I dynamically remove DNSSEC and Rebind on the router if my DNS config involves NextDNS. And map the 0.0.0.0 to my Pixelserv IP. That’s a lot of hacks just to see if something will work like Diversion Standard.^^^^ Actually, helpful - makes perfect sense.
BUT .. I think you posted that you prefer to keep DNSSEC on locally and you made a few posts earlier to the configs to to allow diversion + Pixelserv to act as a 2nd layer to NextDNS as long as we set NextDNS to use 0.0.0.0 returns.. or am I mis-remembering? For me, I like layers for this stuff... so if something sneaks past the front link, there's a fallback waiting to stop it.
ASUSWRT-Merlin and NextDNS issue
Layers are good except when modifying cryptographically signed data. Hence I’m taking a break from fancy DNS now that kids are going back to school and I have to go back to work tomorrow.
I’m now just using ISP DNS with DNSSEC and Diversion. Plus SkyNet.