Unbound timeout resolving Facebook CDN

Installing and Using OpenWrt Network and Wireless Configuration
1

Having trouble setting up unbound properly in my openwrt router.

Have the basics set up correctly and can resolve most queries, but Facebook CDN addresses fail.

Some queries work:

# nslookup openwrt.org 127.0.0.1
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:      openwrt.org
Address 1: 139.59.209.225
Address 2: 2a03:b0c0:3:d0::1af1:1

# nslookup fbcdn.net 127.0.0.1
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:      fbcdn.net
Address 1: 157.240.8.35
Address 2: 2a03:2880:f119:8083:face:b00c::25de

But Facebook CDN times out:

# nslookup -t120 static.xx.fbcdn.net 127.0.0.1
;; connection timed out; no servers could be reached

Works fine with Google DNS:

# nslookup static.xx.fbcdn.net 8.8.8.8
Server:         8.8.8.8
Address:        8.8.8.8#53

Name:      static.xx.fbcdn.net
static.xx.fbcdn.net     canonical name = scontent.xx.fbcdn.net
Name:      scontent.xx.fbcdn.net
Address 1: 157.240.8.23
static.xx.fbcdn.net     canonical name = scontent.xx.fbcdn.net
Address 2: 2a03:2880:f019:116:face:b00c::3

I have unbound and dnsmasq configured in parallel, as per https://github.com/openwrt/packages/blob/openwrt-18.06/net/unbound/files/README.md, but I don't think that should affect queries directed directly at unbound on port 53?

I've tried various things like ip4_only, DNSSEC etc. but without knowing exactly what the problem is I don't know where to focus my efforts.

Any pointers on what could be wrong would be much appreciated.

Unbound config:

# uci export unbound
package unbound

config unbound
        option edns_size '1280'
        option extended_luci '0'
        option extended_stats '0'
        option hide_binddata '1'
        option listen_port '53'
        option localservice '1'
        option manual_conf '0'
        option rebind_localhost '0'
        option rebind_protection '1'
        option recursion 'default'
        option resource 'default'
        option root_age '9'
        option ttl_min '120'
        option unbound_control '0'
        option dhcp_link 'dnsmasq'
        option enabled '1'
        option dns64 '0'
        option validator '1'
        option validator_ntp '1'
        option protocol 'mixed'
        list trigger_interface 'lan'
        list trigger_interface 'wan'

Full debug log (unbound -vvv) here: https://pastebin.com/ZuVC18Vk