Hmmm. Switching source routing off (so it still goes through my VPN) but changing the Nucleus’ DNS server in DHCP to 1.1.1.1 (Cloudflare’s DNS server, similar to Google’s 8.8.8.8 but less privacy-invasive) seems to have addressed the problem. There is some DNS dependency at work.
The only thing I can think of is my DNS server (unbound) validates DNSSEC and there may be invalid records that CloudFlare lets through that unbound doesn’t.
I don’t like Internet of Things devices exfiltrating data behind my back via DNS, and the Nucleus is particularly at risk because by the nature of streaming, it has to be on my main LAN, not on the highly restricted VLANs I leash IoT devices to. My normal settings are to block direct DNS access (e.g. to 1.1.1.1 or 8.8.8.8) to only trusted machines, although I don’t yet implement the blacklist of DNS over HTTP servers this guy (works on security at GitHub) does.