2.1 - diagnostics/arp doesn't use local DNSmasq for name lookups
As the title states the diagnostics/arp doesn't use the local dnsmasq/forwarder for the DNS name lookups. It just uses the DNS servers listed in the general tab.
As a result any over-rides you have configured in the dns forwarder are not displayed correctly, as well as leading to a long timeout with several 1000 ARP addresses waiting to timeout on failed DNS lookups.
It uses the DNS server defined in /etc/resolv.conf for the firewall. If you have the default setting in place to have the firewall use the DNS forwarder (On System > General) then it will use the DNS forwarder there.
Problem turned out to be the dns forwarder was not listening on localhost so of course it wouldn't work ;)
Sorry for the false alarm!