DNSMASQ rebind attacks, ASUS routers

This has probably been mentioned on here before but when NextDNS IP addresses are setup as WAN DNS servers on an ASUS router and DNS TLS is enabled etc and adblocking occurs via filters through NextDNS dashboard there are system logs on the router showing rebind attacks from examples scribe.roku.com, cooper.logs. etc roku devices or some others as well. Options of DNS rebinding protection is enabled at NextDNS and also on router, but still dnsmasq on the router is seeing these false dns replies. One option is to turn off DNS rebind protection at the router level since nextdns is used, but it should be that these domains are properly dropped before they even reply back to router and private ip devices? I would think dnsmasq on these routers would have ability to add 0.0.0.0 or perhaps at the DNS level of NextDNS service? When I use adguard or another provider I do not get these false rebind system logs?