When ztunnel captures DNS requests that match wildcarded hosts, it returns a CNAME record with the wildcarded domain name and a canonical name also containing a wildcard. That shouldn't be the case according to RFCs 1034 and 1035. That causes issues with Ubuntu's standard resolver, where it doesn't go through the following A records when the CNAME mapping doesn't contain FQDNs.