Strange issue with client

Hello all,

     I have installed the NextDNS client on a Rocky 9 host. The intent is to send certain clients to this host for dns resolution via NextDNS. I got it installed, but am seeing a strange issue.

I can resolve just fine while the client is running on the host itself:

[root@localhost ~]# dig google.com
; <<>> DiG 9.16.23-RH <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42528
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.            IN    A
;; ANSWER SECTION:
google.com.        5    IN    A    142.250.190.46
;; Query time: 53 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jan 04 16:58:21 EST 2025
;; MSG SIZE  rcvd: 55

If I try from a remote host, I get this:

root@pxsrv:~# dig google.com @192.168.5.25
;; communications error to 192.168.5.25#53: host unreachable
;; communications error to 192.168.5.25#53: host unreachable
;; communications error to 192.168.5.25#53: host unreachable

; <<>> DiG 9.18.28-1~deb12u2-Debian <<>> google.com @192.168.5.25
;; global options: +cmd
;; no servers could be reached

If I do a tcpdump, I can see the queries coming in, but no response:

[root@localhost ~]# tcpdump -i enp1s0 port 53 and host 192.168.5.1
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enp1s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
17:02:04.176935 IP 192.168.5.1.41894 > redacted.domain: 36462+ [1au] A? gooogle.com. (52)
17:02:04.177433 IP 192.168.5.1.33802 > redacted.domain: 36462+ [1au] A? gooogle.com. (52)
17:02:04.177891 IP 192.168.5.1.44247 > redacted.domain: 36462+ [1au] A? gooogle.com. (52)

I have tried setting listen to 0.0.0.0:53 to listen on all interfaces, but the issue persists. I can also do a netcat from a remote host, the port is open and listening it appears:
 

nc -vz -u 192.168.5.25 53
Connection to 192.168.5.25 53 port [udp/domain] succeeded!

selinux is disabled, and there are no firewall rules applied:
 

[root@localhost ~]# sestatus
SELinux status:                 disabled

[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Any known issues that might be specific to Rocky 9? I have not tested on another distro yet, but I am a bit perplexed as to why this issue is occuring.