[Quote]Do you possibly use Chrome with the Data Saver extension?  [/quote]

I don't. Screenshots are from a new Notebook. Chrome was not even installed yet. Only Edge (which I uses in the screenshots).
I did install Chrome now without any add-ons. Still no Content filtering Happening.

I also tested on an Huawei P9 lite with Chrome and Opera. It gets the correct OpenDNS Servers from the DHCP, but no Content filtering.
"Welcome" page says I am using OpenDNS, test site says I don't and I can Access any pornsite that should be blocked.

Previously I tested with the secure DNS Servers from Norton Connect Safe, but I had the exact same experience there. DNS Servers are used, but no filtering. 

https://dashboard.opendns.com/stats/all/totalrequests/today/
also shows that opendns gets requests from my site :-/

Norton also didn't work with filtering?  Weird...

Copy & paste the complete plain text outputs of the following diagnostic commands to here:
(Trailing dots are part of the commands!)

nslookup www.exampleadultsite.com.
nslookup www.internetbadguys.com.
nslookup whoami.akamai.net.
tracert www.exampleadultsite.com
tracert www.internetbadguys.com

Also, perform these tests and tell me the results:
http://www.lagado.com/tools/cache-test
http://test-ipv6.com/

For what it's worth, I've been having pages blocked as well with no filtering enabled.  If I add them to the custom white list they will load, and I get my custom "blocked" notices, but not sure what's going on.

Sad to see, you've got it!  Case solved!  That is it:

"page serial number - did not Change after step 3, the page age did increase. so I have a Proxy "somewhere" ?"

This is your ISP (Stadtwerke Hall in Tirol GmbH, citynet.at) operating a stealthed transparent proxy cache.  Symptomatic for this is that the DNS responses (e.g. from OpenDNS and Norton) are almost ignored, and the ISP presents you with web content from their caching proxy servers instead, unrelated to the DNS query results and unrelated to what you may get from the real web servers.  They do this to massively save traffic volume costs and to serve their customers quicker with web content.  This technology is often used in the Pacific area and Africa, but very untypical for Central Europe.

You may want to contact your ISP to opt out from this caching.  If this is not possible, your only option is to change to another ISP, or to use DNS responses from OpenDNS just randomly as is.

OpenDNS does exactly what you expect it to do: it logs all your DNS traffic and will report also all related domains as blocked (even if they are not being blocked in the browser for you), and it returns the correct result for every DNS query.  However, this does almost not take effect when browsing the web, because your ISP does his own things with your web traffic.

Ah, btw, this is where you also can see this proxy thing:

  1     3 ms     4 ms     2 ms  192.168.10.1
  2     4 ms     2 ms     2 ms  172.16.254.1
  3     5 ms     5 ms     3 ms  10ge-1-2.dc2-02-route-privat-01.as34347.net [80.92.112.185]

This 172.16.254.1 is a private IP address within the ISP network, but totally unrelated to your LAN address range 192.168.10.x.

@rotblitz thanks a lot! I will call my ISP first thing on Monday!

But 172.16.254.1 is not the proxy, it's the fiber router provided by my ISP. :)
I am forced to use the ISP router, so the ERLite3 192.168.10.1 is in its DMZ.

Whatever, it is untypical that a second hop in a traceroute is a private (RFC-1918) address.  You will be most likely also unable to reach your network from outside unless your ISP does routing and port forwarding for you.

You may want to report back what the result of your call was.  It may help other users in the same situation.

I can reach my home network without any issues using RDP, VPN (PPTP) and FTP.
My Edge Router (192.168.10.1) is the DMZ host of my ISP router (172.16.254.1), so I only have to configure port forwarding and VPN inside the Edge Router and not bother with the ISP router config at all.

I would prefer to switch the ISP router to bridge mode, but that is only possible when you have a business plan, which is very expensive.

This is the very first time that I encountered any kind of odd issues with my ISP. Which is why this surprises me quite a bit.

Ah, so you are able to access your Edge Router to manage it?  I understood that you cannot.  Then yes, you have double NAT which can be worked with, no problem for remote access from outside then.  But they still interfere with your web traffic from inside, unfortunately.  This can often not be seen with traceroute which measures the flow of ICMP packets only, not with port based TCP sessions like HTTP(S).

@rotblitz thanks for your help! Maybe you can help me to better understand what is going on? :)

So my client correctly asks OpenDNS for the IP address of a site.
In case that it is a blocked site, my client should not receive the address of the webserver, but get redirected to the "blocked" notification URL, correct?

At which point does the ISP proxy interfere?
To me it seems that it would have to alter the answer/redirect that I get from OpenDNS? So that instead of getting redirected to the "blocked" information, the client is sent to the webserver of the site that should be blocked.

Am I right?

DNS traffic and web traffic are different things.  DNS is the phone book of the internet, web and other traffic is the phone lines of the internet.  OpenDNS is only in charge for the DNS traffic.

No matter if a domain (not "site") has to be blocked, OpenDNS (or any other DNS service) returns the IPv4 and/or IPv6 address.  In case of blocking they return their own IP addresses instead of the real one.

The browser now connects with this IP address information to this domain, but - your ISP interferes at least all web traffic (TCP/80, maybe also TCP/443) to analyze the HTTP header which contains the domain name and the URI.  The ISP looks into his cache if the document in question is still stored there, and if so, he serves you out of the cache, ignoring the IP address information from the TCP header (provided by the DNS service) but using the information from the HTTP header.  If this content is not found in the cache, they even may raise their own DNS query to become able loading the content from its original location into their cache which cannot be like from OpenDNS.

So yes, they alter the information by ignoring the IP address information from DNS.