I have similar home setup, virtual everything, three EAP225 APs, etc. difference is that I’m using pfsence and network access is hardwired to my APs (instead of any sort of mesh). Just to be clear, there is roaming at my home, but traffic goes to the switch via a wired cable, rather then WiFi relay.
This problem has arisen numerous times, and it seems to me it’s caused by bad behavior on both sides.
On the customer side, what possible benefit do you see by blocking a request to e.g. Google DNS? If the request is legitimate, that causes a device or app to fail for no good reason. If malicious, the malware can accomplish the lookup with DoH, which is not possible for a home or small business system to block.
On the Rachio side, the firmware should use the DNS server(s) supplied via DHCP, in addition to its hard coded servers. If a query fails for any reason (no response, refused, non-existent domain, etc.), the next server in sequence should be tried. The overall request should not fail unless each server has been tried at least twice.