I find that my openwrt router seems to be refusing to return dns answers where 127.0.0.1 (or any other reserved range like 10.*.*.*) is the answer from the server.
Example (192.168.1.1 is my openwrt router):
dig @192.168.1.1 dnstest.rexroni.com shows no answer (correct answer is 127.0.0.1).
But dig @192.168.1.1 dnstest2.rexroni.com shows the correct answer of 1.2.3.4, so the dns connection is working.
If I use tcpdump on the machine that my router is connected to, I can actually see the dns response with 127.0.0.1 answer going into the router, but the router isn't forwarding that answer to anybody inside the network.
This does fix my problem, and I am now reading about rebinding attacks.
Can you tell me how the filter works? Is it just blindly filtering reserved ip addresses in response? Or is it smart enough to, say, only filter out such responses when they are not signed with dnssec?
It's all private addresses, including the null address 0.0.0.0 or ::, and any IPv6 ULAs or LLAs. Generally you want to disable it when using a DNS service that performs any filtering.