Local DNS records resolving on router but not on LAN clients (on VLAN)

I have set a local DNS record under >Network>DHCP and DNS>General>Addresses that resolves "keycloak.domain.de" with a local IP address.

When I do "nslookup" via the router itself, it says:

root@router:~# nslookup keycloak.domain.de
Server:         X.X.X.1
Address:        X.X.X.1:53

Name:   keycloak.domain.de
Address: X.X.X.242

Non-authoritative answer:

When I do nslookup via a client on my LAN (separated in VLANS), it says:

nslookup keycloak.domain.de
Server:		X.X.X.1
Address:	X.X.X.1#53

Non-authoritative answer:
Name:	keycloak.domain.de
Address: [PUBLIC IP instead of LOCAL IP]

When I try to force an authoritative answer, I get:

nslookup -type=ns keycloak.domain.de
Server:		X.X.X.1
Address:	X.X.X.1#53

Non-authoritative answer:
*** Can't find keycloak.domain.de: No answer

Authoritative answers can be found from:
domain.de
	origin = XXX
	mail addr = XXX
	serial = XXX
	refresh = XXX
	retry = XXX
	expire = XXX
	minimum = XXX

Here are screenshots of my LuCI settings. If you need config files, I can paste them here.


Question: What am I doing wrong? Why is that domain name not resolving locally on my LAN client? Is it because of it being on a VLAN?

EDIT: Of course I have whitelisted the domain to be excluded from rebind protection.

Since you're masking the DNS IP, I assume it's not the LAN IP of the router ?

Oh, sorry… it is the LAN IP.

For the time being, I am going to use my Pi-Hole instances for local DNS.

But I would love to get my head around this, in case I change my setup.

If you have any tips - please share.