DNS Server Behind NAT

To sum up what has been previously written in comments with some further explanation:

It looks a bit like your NAT rules for UDP were broken. An indication is the error message reply from unexpected source: 1.2.3.4#13731, expected 1.2.3.4#53 and your trace taken from the client where the response looks like dns.example.com.29242 > pc.external.com.43845: UDP, length 95. The source port for the response packet should be 53, it is correct in your dump taken from the DNS server (where resolves to domain for display purposes).

While some (especially historic) resolvers may accept DNS responses from different ports / IPs, most would not - mainly due to security reasons to impede DNS spoofing and cache poisoning attacks.

At any rate, for connectionless UDP NAT traffic, your router should preserve state data from the previously received UDP DNS query packet and re-map the IP:port tuple for the response packet back to 1.2.3.4:53 - which it apparently does not. It may be a configuration error or a bug in the way the router is handling the UDP state table for port forwarding cases - so your best bet would be to open a case with the manufacturer's customer support (having upgraded the code to the latest/greatest beforehand - such an issue is likely to have been noticed by other users previously and thus likely to already be fixed).