A server behind a firewall makes a request to a domain, example: example.com. You are then returned with a public IP address of that domain.
This IP address is the Public address of your server but to access the domain, you need the private address (NAT).
DNS Doctoring is where the firewall inspects the DNS response and checks the NAT tables to see if it has an entry.
If it does have an entry, it will re-write the response with the “real” address before sending it to the client.
DNS doctoring breaks the DNSSec because the DNS signature in the response package has changed.