Weird Roblox DNS error with AGH on LAN

[RainmakerRaw]

I have a weird (to me) issue that I hope someone can help with. Basically, I need to manually set clients' WiFi/LAN DNS server to 9.9.9.9 to make Roblox work, even though a configuration profile is installed and active on the device (so AGH is still processing the queries anyway!). Allow me to explain:

I'm running AdGuard Home v0.107.48 on a Rocky Linux 9.3 LXC container, under Proxmox PVE v8.1.10. The LXC container has a public IPv4 which differs from the main home WAN IP (I have a /29 from my ISP) as well as direct access to the LAN, from which it obtains a static local DHCP IPv4 address from my router. That router is x86 and runs OpenWrt v23.05.3 r23809-234f1a2efa.

The LXC container running AGH also obtains global/public IPv6 addresses from the router using SLAAC and DHCPv6. The LAN DHCP server on the router issues the AGH instance as LAN DNS (10.100.0.154 and its public IPv6 address) to all other LAN DHCP clients.

Like this (the IP addresses are made up):

Home router     AGH LXC
80.0.0.2        80.0.0.3
10.100.0.1/24   10.100.0.154
3fb0::/56       3fb0::2
----------
Example client on LAN -
10.100.0.232, 3fb0::3 (router 10.100.0.1, DNS 10.100.0.154 and 3fb0::2, broadcast 10.100.0.255)

AGH has Hagezi Pro and Hagezi TIF as the filter lists, and uses several encrypted upstreams (Mullvad, AdGuard public DNS, Quad9, etc) with parallel queries enabled. The upstreams use a mixture of quic, tls and h3. Local cache and optimistic caching is enabled.

A redacted copy of the AGH config file can be found HERE.

The clients experiencing the problem in question run iOS and iPadOS (latest). As well as receiving the AGH instance as their DNS server via DHCP on the WiFi connection, they also have a DNS profile installed on the device (DoH) pointing to the AGH by domain (https://clientid.dns.my-domain.xyz/dns-query). In other words, the WiFi tells them DNS is at 10.100.0.154 but the locally installed profile overrides this anyway, and points them to the encrypted DNS by domain.

For the last few days, when launching Roblox on devices on the LAN it opens but immediately errors that there is no network available, and to click to retry (which doesn't work). The only domains blocked by AGH at this time are launches.appsflyer.com and app-analytics-services.com, which have been blocked since forever and never caused a problem before now. Unblocking them to test didn't help.

However, I finally found a workaround. If I go to Settings > WiFi on the affected iOS devices and then change DNS from automatic to manual, and specify any public DNS (such as 9.9.9.9), Roblox launches perfectly and without issue. The reason this is so strange is that the device profile is still installed and active, and AGH confirms all the DNS traffic is still going through AGH as usual - but now Roblox works. As soon as I change the WiFi DNS back to automatic (i.e. it points to the AGH LAN addresses again) Roblox says there's no network and refuses to launch. I've tried deleting only the IPv4 address (10.100.0.154), as well as deleting only the IPv6 address, and the error persists. It only goes away when I remove the LAN IPs entirely and point the device to 9.9.9.9 (but leave the configuration profile active and allow AGH to work that way).

No other app on the device behaves this way, everything else works with the LAN IPs active as you'd expect. YouTube, various games, browsing - everything works fine with the DHCP-assigned DNS LAN IPs. Only Roblox shows this error and requires the workaround. This is far from ideal!

I'm stumped how changing the LAN DNS to a public non-blocking server allows Roblox to launch, when AGH is still hijacking and processing the queries anyway, due to the configuration profile. Does anyone have any ideas here? I'm stumped!