Looking at BIND config, the plugin looks to be broken on zone configuration. The Commands section used to have a stethoscope button , delete, etc. but now only has edit, clone and an ellipsis with a "Check & preview" tooltip. When clicked, the checks all fail, as does clicking "Show zone content", which suggests "Empty response from the backend. Please check logs."
I've also noticed that new ACLs are not immediately available to the General config tab.
Following upgrade to 25.7, filter logs on this OPNsense box increased from 35MiB daily to 750MiB daily, mostly DNS entries. I've had to delete filter logs to avoid the disk filling up. This is what led me to discover the above. There does appear to be a Brazil-based DNS Amplification Attack that has been underway for several days, so all of this might be coincidental, but I would like to eliminate configuration as an issue. Are there any good block lists for these types of attacks?
Ok, so I've found two issues. One is a bug, the other a needed feature (rate limiting).
I'll do some testing and raise PRs...
Edit: This does not include the bug in the OP.