Comcast and DNS hijacking - how to narrow it down?

I can't get through to the DNS server I want to for love or money.

If I set my DNS server address to 1.2.3.4 (not a DNS server), I still get results.

If I get the Source of Authority for a given domain and query THAT for the authoritative result, I still get a non-authoritative result.  (When I'm not at home, this doesn't happen.)

If I set my DNS server to a DNS server that returns different results than normal, I still get the normal results.

I have no idea if it's my router that's the problem, or if the transparent DNS proxy is further upstream.  So, here's what I've tried to do to narrow down where it is.

Set my router's primary and secondary DNS servers to something inside the LAN

Change my computer's DNS server to the router

Repeat the above tests

The router appears to return DNS requests like it's a standard DNS proxy, but it doesn't appear to be using the DNS server on its settings page - I still get DNS results from some mysterious server that I don't know where it is.

I chatted with a Netgear rep, and although I have doubts about how in-depth their technical knowledge is, the impression that I got is that the router itself doesn't actually use the settings I choose - instead, it uses the DNS servers it picks up from the ISP through DHCP.  Including when I send a DNS request to the router.

I know Comcast has a history of putting their customers behind a transparent DNS proxy, but when I called their service people (and got increasingly frustrated with them), they insisted that it was my hardware.

I also know that Comcast pushes firmware updates to customer-owned hardware, so even if Netgear never sells hardware that performs sneaky DNS shenanigans, that doesn't mean Comcast hasn't forced it down my poor router's throat.

Does anyone know how to narrow this down to hardware or ISP, or can just speak from a technical standpoint about this and my router?  I've sunk a full day of research on this and I feel like I'm getting nowhere...