Unbound and NextDNS - ad blocking is acting strangely

Hi!

I posted once yesterday with a similar title, only to delete it within 5 minutes, as I wanted to experiment more.

Our router uses Unbound on opnsense, using DNS over TLS to forward to NextDNS - up until 2 days ago, everything's worked fine - in particular, ad blocking has exactly as it should.

Starting a couple days ago, though, ads have begun slipping through, but only when browsing through our router - disconnected from the router (i.e. mobile using cell), ad blocking via the same profile as we use in the router behaves as expected.

All other things appear to work fine - blocklists, parental control, etc - it's only ad-blocking, and not all ad blocking, that's failing. We use Hagezi Pro++, Pro, and Normal, and OISD, along with short lists of denied and allowed sites.

When I do an nslookup, or run an adblock test, on a site that should be blocked, I can see the site appear as blocked in the logs, but looking at Unbound's logs, I also see the records return with valid IPs.

Nothing's changed on my router in more than a week - this just came out of nowhere, which is a bit unfortunate.

If anyone has any suggestions, I'd love to hear them - TIA!