Remember that is not a complete nor an exhaustive list - you need to check your router using wireshark/nmap and whatever.
I run a DMZ for my web server, so the router is not exposed on the front line - so maybe if you do have an option to add a DMZ on your router (and do not need access outside away from your network (who does?)) turn it on and point it to 0.0.0.0 then any requests from the cloud to access the router will fail.
Does that work? If the router has a service listening on the port it must respond, else if it doesn't have a service running on the port or have a NAT entry in place it should drop the connection?
I'm not saying you're wrong I'm just confused at the idea that a DMZ would take precedence over a listening service on the router as far as packets directed to it go. I'd have thought it'd look at its own kernel routing table before running through a NAT table.