This is to do with how iOS handles sending DNS requests after version 14. Now DNS requests are encrypted using HTTPS in a “Type 65” request rather than your standard port 53 DNS request. Depending on how your DNS server handles type 65 requests (I know dnsmasq and by extension Pihole has trouble with this) the server may not match it to a local record and just automatically forward the request to the upstream servers. iOS does actually follow up the type 65 request with a regular request for comparability sake, however most the time the device will get back the forwarded (public) response before the local response due to the time between requests, and resolve the FQDN to the public address. As of now there is no firm solution as we need to wait for an updated version of the dns server and encrypted DNS can not be turned off in iOS. The only work around is if your have a firewall between your device and DNS server, block HTTPS traffic and only allow UDP 53. Resolve times will be slower due to the time between DNS requests but it will resolve properly.