To recreate this issue, enable the DNS Proxy and LAN DNS on an Omada Gateway following the instructions here:

"How to configure DNS Proxy on the Omada Gateway"

https://support.omadanetworks.com/ae/document/13244/

"How to Configure LAN DNS on Omada Gateway"

https://www.tp-link.com/us/support/faq/4504/

At this point clients using DHCP should be given the IP addresses of the DNS Proxy and be able to resolve LAN DNS addresses.

However in out testing this only works for clients with no IPv6 support. Even with DNS Proxy enabled, the DHCP server continues to give IPv6 clients the external IPv6 DNS server addresses (as well as the IPv4 address for the DNS proxy).

We tried to fix this by overriding the IPv6 DNS to the IPv6 address of the Gateway, but we found the DNS Proxy doesn't respond on the Gateway's IPv6 address.

We tried to fix this by overriding the IPv6 DNS to the (mapped) IPv4 address of the Gateway, but that didn't work either.

This means any IPv6 clients bypass the proxy, so secure DoH/DoT cannot be used and also IPv6 client can't resolve LAN DNS domain names.