dnsmasq returning HTTPS instead of NODATA

I am trying to setup a DNS on an ubuntu server using dnsmasq for people that connect to the VPN. I do not want people to search for adult content website from this VPN.

So I install dnsmask and set it up to use an hosts list banning most of the known adult content website : https://github.com/Sinfonietta/hostfiles/blob/master/pornography-hosts

For pornhub.com it is working and I get the following logs:

dnsmasq[2438]: query[HTTPS] pornhub.com from 10.8.0.4
dnsmasq[2438]: forwarded pornhub.com to x:x:x:x:x:x:x:x
dnsmasq[2438]: query[A] pornhub.com from 10.8.0.4
dnsmasq[2438]: /etc/hosts-porn-content pornhub.com is 0.0.0.0
dnsmasq[2438]: reply pornhub.com is NODATA

However, for some reason when a website can be resolved throught ipv6, the client can still reach the website. For example, hanime.tv is resolved even thought dnsmasq find the configuration in /etc/hosts-porn-content:

dnsmasq[2438]: query[HTTPS] hanime.tv from 10.8.0.4
dnsmasq[2438]: forwarded hanime.tv to x:x:x:x:x:x:x:x
dnsmasq[2438]: query[A] hanime.tv from 10.8.0.4
dnsmasq[2438]: /etc/hosts-porn-content hanime.tv is 0.0.0.0
dnsmasq[2438]: reply hanime.tv is <HTTPS>

Here is my dnsmasq config:

# On systems which support it, dnsmasq binds the wildcard address,
# even when it is listening on only some interfaces. It then discards
# requests that it shouldn't reply to. This has the advantage of
# working even when interfaces come and go and change address. If you
# want dnsmasq to really bind only the interfaces it is listening on,
# uncomment this option. About the only time you may need this is when
# running another nameserver on the same machine.
bind-interfaces
clear-on-reload
filter-AAAA

# If you don't want dnsmasq to read /etc/hosts, uncomment the
# following line.
#no-hosts
# or if you want it to read another file, as well as /etc/hosts, use
# this.
addn-hosts=/etc/hosts-porn-content

systemd-resolve config:

[Resolve]
# Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
# Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
# Google:     8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google
# Quad9:      9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
DNS=127.0.0.1
#FallbackDNS=
#Domains=
#DNSSEC=no
#DNSOverTLS=no
#MulticastDNS=no
#LLMNR=no
#Cache=no-negative
#CacheFromLocalhost=no
DNSStubListener=no
#DNSStubListenerExtra=
#ReadEtcHosts=yes
#ResolveUnicastSingleLabel=no

OpenVPN config to use the DNS:

# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
push "redirect-gateway def1"

# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses.  CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
push "dhcp-option DNS 10.8.0.1"

/etc/hosts content:

127.0.0.1 localhost
127.0.1.1 serv

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

I tried to disable IPV6 on the computer running the DNS Server, however the client couldn't search anything on the web...

And filter-AAAA does not work, at least I don't understand what it is doing.

Finally I clear the DNS cache by doing:

resolvectl flush-caches
pkill -HUP dnsmasq
pkill -USR1 dnsmasq