It may not actually be failing. By default HA uses the fallback for SERVFAIL, REFUSED and NXDOMAIN responses. Falling back on REFUSED and NXDOMAIN in particular is (understandably) what people find confusing.
I explained the reason it uses the fallback for these here:
It does actually make sense since most users would prefer to simply not worry about DNS. So the fallback as configured ensures that people don’t hit strange issues around key hostnames like github.com and ghcr.io even if their ISP provided DNS server is misbehaving. And for users that do care and want to exert full control over DNS in their network they can simply disable the fallback with
ha dns options --fallback=false
Although for anyone looking to disable the fallback I strongly recommend running the following command first:
ha resolution info
Just to make sure your DNS server doesn’t have the musl-related issue I mention in that post. If you do it will show up under issues and should be fixed first. Otherwise the fallback can be disabled.