Hass.IO - Baked-In DNS Client?

Ahoy. My Hass.IO units seem to have baked-in DNS.

They are DHCP clients with reservations, but do not appear to ONLY be using the DNS servers specified in the DHCP Scope options.

I have a firewall rule blocking any outboud traffic to port 53, unless it originated at my Pi-Hole(s). Logs show the Home Assistant VMs regularly attempting to get to 1.1.1.1, 8.8.8.8, and 9.9.9.9 on port 53. Since these requests are being blocked, but the Home Assistant VMS still appear to work, I can only assume that they’re using my DNS as specified by DCHP as well.

Anybody familiar with this behavior?

Cheers, Michael