Aha! This isn’t a firewall problem, it’s a DNS problem.
My DNS config is as follows, and gets sent to clients when they obtain their IP address via DHCP:
The first one is a DNS server I run internally to provide name resolution for devices on my internal network. The other two are Google and handle everything else. My DNS server doesn’t forward on requests for domains it doesn’t know: it expects the clients to fall back to the other two name servers that were provided as part of DHCP.
All other clients on my home network correctly handle this. It appears the Rachio DNS client doesn’t do this, and simply gives up when it gets a “nope” response from my DNS server.