The mystery is solved: It was the Fritzbox all along.
It was already narrowed down to either something being wrong with the AX86U (which seemed unlikely given that my config wasn't THAT exotic), or something being wrong with using the Fritzbox in a way that approximates a modem (which is outside the manufacturer's specs), and between those two I was already suspecting that the Fritzbox might well be the culprit here.
@SomeWhereOverTheRainBow was spot-on. Once I knew what to look for, I kept coming across posts of people using Fritzboxes like that and then having trouble setting up their own DNS resolvers. In a German forum I found someone who observed that Fritzboxes, when used like that, filter 'host -t NS . ' requests as well as DNS SOA requests. There is no rational explanation for the Fritzboxes behaving that way, but then again, using them as modems like that is an unspecified use case (and thus, unsanctioned and also untested by the manufacturer).
It's a shame really, because you can get second-hand Fritzboxes quite cheaply in Germany (lots of ISPs hand them out with their contracts), and their DSL chipsets are pretty good. Compared to the Draytek Vigor 167 I now use, the Fritzbox achieved a DSL sync that was 20 mbit/s higher downstream and 5-10 mbit/s higher upstream (179/48 vs. 158/40).
TL/DR: I tried a "real" DSL modem, and everything worked as it should. Fritzbox routers without a dedicated bridge-mode exhibit strange DNS-related quirks when "forced" to behave like a modem (PPPoE passthrough without own active internet connection) that prevent own DNS-resolvers from working.
It was already narrowed down to either something being wrong with the AX86U (which seemed unlikely given that my config wasn't THAT exotic), or something being wrong with using the Fritzbox in a way that approximates a modem (which is outside the manufacturer's specs), and between those two I was already suspecting that the Fritzbox might well be the culprit here.
@SomeWhereOverTheRainBow was spot-on. Once I knew what to look for, I kept coming across posts of people using Fritzboxes like that and then having trouble setting up their own DNS resolvers. In a German forum I found someone who observed that Fritzboxes, when used like that, filter 'host -t NS . ' requests as well as DNS SOA requests. There is no rational explanation for the Fritzboxes behaving that way, but then again, using them as modems like that is an unspecified use case (and thus, unsanctioned and also untested by the manufacturer).
It's a shame really, because you can get second-hand Fritzboxes quite cheaply in Germany (lots of ISPs hand them out with their contracts), and their DSL chipsets are pretty good. Compared to the Draytek Vigor 167 I now use, the Fritzbox achieved a DSL sync that was 20 mbit/s higher downstream and 5-10 mbit/s higher upstream (179/48 vs. 158/40).
TL/DR: I tried a "real" DSL modem, and everything worked as it should. Fritzbox routers without a dedicated bridge-mode exhibit strange DNS-related quirks when "forced" to behave like a modem (PPPoE passthrough without own active internet connection) that prevent own DNS-resolvers from working.
Last edited: