Now I feel stupid for not thinking of that myself. Thanks!Make firewall filter rules in the input chain accepting UDP/TCP 53 traffic from sources you want to be able to use the router as a DNS server, and drop everything else.
Which was private, and outside of the ACL for recursion on the DNS server it was populating the cache from. Easily fixed by updating the ACL, though.Not that I know of. The router will reliably choose the lowest IP address on the interface closest to the destination, though.