The servers at 192.168.3.46 are in my employer's data center. They resolve all DNS requests at my place of work.
I'm afraid to mess with my routes because my VPN connectivity is fully functional in every way except for DNS resolution. I can ssh into my router over the VPN and I can even connect to my home NAS via my VPN and move files in both directions. But I can't contact the DNS server on my router, not even with the Windows nslookup utility.
So <option localservice '0'> is the first thing I tried when I got into work this morning and of course this fixed my DNS problem immediately (many MANY thanks @vgaetra), but my security spidy-sense is tingling. I'd love to be able to tell dnsmasq that 192.168.200.0 is a local subnet so I can turn localservice back on. I have 2 rental suites in my property and both tenants are on my router, so the less security exposure I have the better. Note that all subnets, MAC addresses and other tokens in the above conversations are not my real configuration.
Many linux distros don't provide safe firewall config from the box.
When their users install dnsmasq it should not create a source of DNS amplification attack.
So the author of dnsmasq added this option.
Your OpenWrt setup is not an unconfigured installation.
It has firewall zones, policies and rules, which you can modify to serve your needs.