Wrong IPs returned for domain, resulting in certificate errors

Hi,

I'm using NextDNS behind my Adguard installation as root DNS. I've tried to open this URL:

https://www.on1.com/creative-library/frost-and-snow-overlays/

Firefox showed me this error:

 Note for which Sites the certificate should have been issued.

I've tried to resolve the DNS entries manually on my Mac using dig:

dig www.on1.com                                                                                                                                                   at 23:30:31
; <<>> DiG 9.10.6 <<>> www.on1.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19656
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.on1.com.            IN    A
;; ANSWER SECTION:
www.on1.com.        226    IN    A    52.45.242.92
www.on1.com.        226    IN    A    52.6.17.168
;; Query time: 62 msec
;; SERVER: <the IPv6 of my Router with Adguard installed on it>
;; WHEN: Mon Jan 08 23:30:43 CET 2024
;; MSG SIZE  rcvd: 72

While adguard logged these IPs:

Opening that IP shows the certificate that belongs to iot.blackberry.com: https://52.6.50.55/

After a few retries and reloads, the website got finally the right IPs resolved and showed a certificate that was suitable.

I've had this before with a login request to the AWS web console which failed because nextDNS returned a wrong IP not suitable for the requested domain.

Unfortunately I'm unable to see the resolved IPs in the NextDNS log. It just shows me if its an A or AAAA response and that it was DNS over HTTPS.

Any ideas how to proceed or further debug this issue?