Possible Resolver Interoperability Issue with Alibaba-backed IoT Domain

Hi Team,

I have been troubleshooting an IoT device (FALA thermometer) that consistently fails only when Unbound forwards to upstream resolvers over DNS-over-TLS.

Environment:
- OPNsense
- Unbound
- DoT enabled
- IPv6 disabled
- Rebinding protection disabled

Observed behavior:
- Device works perfectly when upstream DoT is disabled.

when DoT is enabled 
- Device initially connects successfully and syncs backlog/history.
- After initial sync, periodic updates stop and the device reports connection errors.
- Other IoT devices on the same VLAN work correctly with DoT enabled.

The affected domain:
s22.xzfala.com

Resolves to:
ga-bp1fu3bj9wxbn2j0951tr.aliyunga0017.com

I observed intermittent SERVFAIL and upstream timeout responses in Unbound logs specifically during operation.

Example:
"all configured forward servers failed"
"upstream server timeout"

The interesting part is that the issue appears specifically during periodic refresh/reconnect behavior rather than initial resolution.

Allowlisting the domains and disabling security/threat features did not resolve the issue.

Could this indicate intermittent resolver issues, timeout handling, or DNSSEC/interoperability problems with the Alibaba-backed authoritative DNS infrastructure involved here?

Thank you.