dnsmasq retornando HTTPS em vez de NODATA

Estou tentando configurar um DNS em um servidor Ubuntu usando dnsmasq para pessoas que se conectam à VPN. Não quero que as pessoas pesquisem sites de conteúdo adulto dessa VPN.

Então eu instalo o dnsmask e o configuro para usar uma lista de hosts banindo a maioria dos sites de conteúdo adulto conhecidos: https://github.com/Sinfonietta/hostfiles/blob/master/pornography-hosts

Para pornhub.com está funcionando e recebo os seguintes logs:

dnsmasq[2438]: query[HTTPS] pornhub.com from 10.8.0.4
dnsmasq[2438]: forwarded pornhub.com to x:x:x:x:x:x:x:x
dnsmasq[2438]: query[A] pornhub.com from 10.8.0.4
dnsmasq[2438]: /etc/hosts-porn-content pornhub.com is 0.0.0.0
dnsmasq[2438]: reply pornhub.com is NODATA

No entanto, por algum motivo, quando um site pode ser resolvido por meio de ipv6, o cliente ainda pode acessar o site. Por exemplo, hanime.tv é resolvido mesmo que o dnsmasq encontre a configuração em /etc/hosts-porn-content:

dnsmasq[2438]: query[HTTPS] hanime.tv from 10.8.0.4
dnsmasq[2438]: forwarded hanime.tv to x:x:x:x:x:x:x:x
dnsmasq[2438]: query[A] hanime.tv from 10.8.0.4
dnsmasq[2438]: /etc/hosts-porn-content hanime.tv is 0.0.0.0
dnsmasq[2438]: reply hanime.tv is <HTTPS>

Aqui está minha configuração do dnsmasq:

# On systems which support it, dnsmasq binds the wildcard address,
# even when it is listening on only some interfaces. It then discards
# requests that it shouldn't reply to. This has the advantage of
# working even when interfaces come and go and change address. If you
# want dnsmasq to really bind only the interfaces it is listening on,
# uncomment this option. About the only time you may need this is when
# running another nameserver on the same machine.
bind-interfaces
clear-on-reload
filter-AAAA

# If you don't want dnsmasq to read /etc/hosts, uncomment the
# following line.
#no-hosts
# or if you want it to read another file, as well as /etc/hosts, use
# this.
addn-hosts=/etc/hosts-porn-content

configuração systemd-resolve:

[Resolve]
# Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
# Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
# Google:     8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google
# Quad9:      9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
DNS=127.0.0.1
#FallbackDNS=
#Domains=
#DNSSEC=no
#DNSOverTLS=no
#MulticastDNS=no
#LLMNR=no
#Cache=no-negative
#CacheFromLocalhost=no
DNSStubListener=no
#DNSStubListenerExtra=
#ReadEtcHosts=yes
#ResolveUnicastSingleLabel=no

Configuração do OpenVPN para usar o DNS:

# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
push "redirect-gateway def1"

# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses.  CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
push "dhcp-option DNS 10.8.0.1"

Conteúdo /etc/hosts:

127.0.0.1 localhost
127.0.1.1 serv

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Tentei desabilitar o IPV6 no computador que executa o servidor DNS, porém o cliente não conseguiu pesquisar nada na web...

E o filtro-AAAA não funciona, pelo menos não entendo o que ele está fazendo.

Por fim, limpo o cache DNS fazendo:

resolvectl flush-caches
pkill -HUP dnsmasq
pkill -USR1 dnsmasq