I did! I even tried natting it to an internal DoT server, I knew it would fail since obviously I don’t have the Cloudflare certificates it would expect but, I’m happy to report that it stopped now. That’s what I logged in to do.
Because of its own NAT problem I decided to start over instead. I use HA as for its nicer user UI compared to my controller’s; for automation it’s too complex. Without any automation I had not much to lose.
I downloaded the latest Home Assistant, already on v8, not just a point upgrade from my 7.x, the OVA didn’t work in Fusion, Workstation or vCenter (!) so I unzipped the it, grabbed the VMDK and dropped it into now the emptied skeleton of the old HA VM. I turned it on and I saw the little thumbnail in vCenter fill with some green color, a good indication Linux is loading. I forgot about it. Later I tried its address and it was ready to be setup. Since it kept its MAC address it got the network settings from DHCP, DHCP6, RA and [I assume] DNS-SD, for the integrations/devices I just need to MQTT it to the main controller. I enabled voluntary analytics once again but I wasn’t sure about the crash reports–I need to get on the specifics of that.
The only 853 now is between two DNS processing nodes on the way out, but that doesn’t appear with a big red X next to it. I think this all may have just been a bug.
Nevertheless, thank you for answering. I don’t know how to mark this solved though. I don’t think I can solve it myself–particularly I did not do anything worth called a fix. Oh well… 