and the advanced settings are all unchecked i.e. my web ui looks the same.
BUT:
I have my PI on wifi, so if it really only listens on eth0 (contrary to what it says in the web ui) that would explain things? If so, what should I write instead of eth0?
If you have a "interface=" line, you close the system down to permit only listening on that particular interface.
If you leave out that line, dnsmasq should listen to all interfaces ... I believe.
Ps. all of these options are described on the man page for reference:
man dnsmasq
-i, --interface=<interface name>
Listen only on the specified interface(s). Dnsmasq automatically adds the loopback (local) interface to the list of inter‐
faces to use when the --interface option is used. If no --interface or --listen-address options are given dnsmasq listens
on all available interfaces except any given in --except-interface options. IP alias interfaces (eg "eth1:0") cannot be
used with --interface or --except-interface options, use --listen-address instead. A simple wildcard, consisting of a
trailing '*', can be used in --interface and --except-interface options.
Ok, I finally figured it out. Turns out the PI was not on the Fritzbox wifi, but on a secondary Asus RT-AC58U wifi. This box had its DNS server manually set to the Fritzbox. So even if the test VM I ran dig on is on Ethernet via the Fritzbox, the Asus box somehow interfered
Setting the DNS on the ASUS box also to my PIs IP finally puts it properly into the loop.
Thanks for your support anyway and sorry for wasting everyone's time...
Dont forget activating the tags again "never forward non...." that you removed for forwarding on the Pi-hole admin page!
And maybe close down listening behaviour again "Listen only on interface...".