I'm trying to achieve the following:
1. Default DNS server to be my pihole. DNS server configured in my DHCP server is the pihole. by default have the router itself dns server be the pihole
2. Every DNS requests that are going elsewhere, to catch them and dnat them into the pihole
3. When my pihole fails, or unreachable for any reason, intercept any DNS request that goes to the pihole IP and redirect it to the router
4. When the pihole fails, also change the dns setting in the router, so that it will use an external DNS server that is reachable, such as cloudflare

I got most of it working just fine, I use netwatch on the pihole IP, and when its up I set the dns-server of the /ip dns section to be the pihole IP, and when its down I change it to CF
I use this together with snat to catch any DNS request that goes to the some other DNS server, and redirect it to my pihole. Those requests will appear in the pihole log as coming from the router, since its SNAT'd, but Its expected.
I enable or disable those two rules based on whether the pihole is available or not, via the same netwatch script.

My last issue is this - when the pihole is down, I want to catch any traffic that goes to it, and send it to the router for resolution. The router has DNS server configured to be CF at this point, so it should make everything work even while its down.
Sounds quite easy, since I thought it would be the same rules as the ones that forces the DNS server, but just using the router IP as the IP to force requests to.
Thing is, it works only partially, and I have no idea why. It catches any DNS requests that goes to an external, over the internet servers like 1.1.1.1, 8.8.8.8...but request to my internal DNS server is not being DNAT'd to my router.

Any suggestions why it happens?
This is the piece of configuration file that does everything: