If this is true, why isn't it accessible from outside? Unlike regular port-forwarding rules, these DNS ones don't make the RB's DNS server (or any other one) available to clients outside the internal LAN, so I'm wondering what the difference is that makes them only usable from LAN and not the WAN too."...they suspiciously look like the rules for port-forwarding..."
Reason is that is exactly what those rules are