When you have “Local On-Prem Resolution” AND “Block DNS rebinding attacks” enabled on a security policy, then any NIOS-X or NIOS-X-as-a-Service instance that has conditional forwarding to on-prem servers that respond to internal domains with RFC1918 addresses will be blocked. This would also apply if NIOS-X was doing a global forwarder to a DNS server that also responds to internal domain. The “Block DNS rebinding attacks” just sees RFC1918 and blocks it.