I have been running unbound with loglevel 3 to see what it does, and I get quite a lot of these messages:
debug: outnettcp got tcp error -1
It seems unbound wants to use tcp but fails to do so, and then falls back to udp. I am not blocking tcp connections in the firewall rules AFAIK, and this behavior does persist when I set Sensei to bypass mode.
If I enable DNS over TLS I occasionally get messages like these:
debug: tcp error for address 9.9.9.9 port 853
I have checked the firewall state table, and noticed multiple tcp connections to the same hosts in the time_wait state, see the screenshot. Apparently it's trying something but I'm not sure what exactly.
What could I further do to investigate this?