Maybe below helps a bit understanding whats happening when resolving recursively like unbound is setup to do and help to diagnose.
If you enable unbound remote control by creating below additional config file:
sudo tee /etc/unbound/unbound.conf.d/remote-control.conf <<< $'remote-control:\n control-enable: yes'
Check syntax:
unbound-checkconf
And reload to apply:
sudo service unbound reload
Your able to see which DNS server(s) are going to be called upon by unbound to resolve for example github.com:
pi@ph5b:~ $ sudo unbound-control lookup github.com
The following name servers are used for lookup of github.com.
;rrset 581 13 0 2 0
com. 581 IN NS a.gtld-servers.net.
com. 581 IN NS b.gtld-servers.net.
com. 581 IN NS c.gtld-servers.net.
com. 581 IN NS d.gtld-servers.net.
com. 581 IN NS e.gtld-servers.net.
com. 581 IN NS f.gtld-servers.net.
com. 581 IN NS g.gtld-servers.net.
com. 581 IN NS h.gtld-servers.net.
com. 581 IN NS i.gtld-servers.net.
com. 581 IN NS j.gtld-servers.net.
com. 581 IN NS k.gtld-servers.net.
com. 581 IN NS l.gtld-servers.net.
com. 581 IN NS m.gtld-servers.net.
;rrset 581 1 1 11 5
com. 581 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CFC41A5766
com. 581 IN RRSIG DS 8 1 86400 20210524050000 20210511040000 14631 . pK9YpC5gVf/m6S5Q7Gr4kiJzhiBe0N6YP7eS/jQQWXKb7ANyjLGL+QSAdkgza/tBs7LdCId5iEjKKcoIM3Y8Pub2LTVX7wvsHNg7CgGobYj8QlKrVo0PJiwoV636aPWWtWDC/Aqs35R9CyJ4IjCGH4Kr8brHmJapjK8CVig7q218JCPvvgeMJ3dQ3NCnMtN0ZDzevIRHvCQ1G0Vohr4PvlgWZ8xW3aDe4tDcloH5cjED4Bnuckf3LK9ND50GdBdLbrTUs6/OsJR2CgvCzf615rLDK2B+DmjgRw6VrPmsmwnROkAX84YaeCcmVRTzSvS4gFXiHE2qAb0ipIEih7fiow== ;{id = 14631}
;rrset 581 1 0 1 0
m.gtld-servers.net. 581 IN A 192.55.83.30
;rrset 581 1 0 1 0
m.gtld-servers.net. 581 IN AAAA 2001:501:b1f9::30
;rrset 581 1 0 1 0
l.gtld-servers.net. 581 IN A 192.41.162.30
;rrset 581 1 0 1 0
l.gtld-servers.net. 581 IN AAAA 2001:500:d937::30
;rrset 581 1 0 1 0
k.gtld-servers.net. 581 IN A 192.52.178.30
;rrset 581 1 0 1 0
k.gtld-servers.net. 581 IN AAAA 2001:503:d2d::30
;rrset 581 1 0 1 0
j.gtld-servers.net. 581 IN A 192.48.79.30
;rrset 581 1 0 1 0
j.gtld-servers.net. 581 IN AAAA 2001:502:7094::30
;rrset 581 1 0 1 0
i.gtld-servers.net. 581 IN A 192.43.172.30
;rrset 581 1 0 1 0
i.gtld-servers.net. 581 IN AAAA 2001:503:39c1::30
;rrset 581 1 0 1 0
h.gtld-servers.net. 581 IN A 192.54.112.30
;rrset 581 1 0 1 0
h.gtld-servers.net. 581 IN AAAA 2001:502:8cc::30
;rrset 581 1 0 1 0
g.gtld-servers.net. 581 IN A 192.42.93.30
;rrset 581 1 0 1 0
g.gtld-servers.net. 581 IN AAAA 2001:503:eea3::30
;rrset 581 1 0 1 0
f.gtld-servers.net. 581 IN A 192.35.51.30
;rrset 581 1 0 1 0
f.gtld-servers.net. 581 IN AAAA 2001:503:d414::30
;rrset 581 1 0 1 0
e.gtld-servers.net. 581 IN A 192.12.94.30
;rrset 581 1 0 1 0
e.gtld-servers.net. 581 IN AAAA 2001:502:1ca1::30
;rrset 581 1 0 1 0
d.gtld-servers.net. 581 IN A 192.31.80.30
;rrset 581 1 0 1 0
d.gtld-servers.net. 581 IN AAAA 2001:500:856e::30
;rrset 581 1 0 1 0
c.gtld-servers.net. 581 IN A 192.26.92.30
;rrset 581 1 0 1 0
c.gtld-servers.net. 581 IN AAAA 2001:503:83eb::30
;rrset 581 1 0 1 0
b.gtld-servers.net. 581 IN A 192.33.14.30
;rrset 581 1 0 1 0
b.gtld-servers.net. 581 IN AAAA 2001:503:231d::2:30
;rrset 581 1 0 1 0
a.gtld-servers.net. 581 IN A 192.5.6.30
;rrset 581 1 0 1 0
a.gtld-servers.net. 581 IN AAAA 2001:503:a83e::2:30
Delegation with 13 names, of which 0 can be examined to query further addresses.
It provides 26 IP addresses.
2001:503:a83e::2:30 not in infra cache.
192.5.6.30 expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:503:231d::2:30 not in infra cache.
192.33.14.30 expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:503:83eb::30 not in infra cache.
192.26.92.30 expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:500:856e::30 not in infra cache.
192.31.80.30 expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:502:1ca1::30 not in infra cache.
192.12.94.30 expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:503:d414::30 not in infra cache.
192.35.51.30 expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:503:eea3::30 not in infra cache.
192.42.93.30 expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:502:8cc::30 not in infra cache.
192.54.112.30 expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:503:39c1::30 not in infra cache.
192.43.172.30 expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:502:7094::30 not in infra cache.
192.48.79.30 expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:503:d2d::30 not in infra cache.
192.52.178.30 rto 302 msec, ttl 762, ping 2 var 75 rtt 302, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:500:d937::30 not in infra cache.
192.41.162.30 not in infra cache.
2001:501:b1f9::30 not in infra cache.
192.55.83.30 not in infra cache.
unbound is going to ask one of them who the authoritative nameserver(s) is for github.com:
pi@ph5b:~ $ dig +noall +authority @192.55.83.30 ns github.com.
github.com. 172800 IN NS ns-520.awsdns-01.net.
github.com. 172800 IN NS ns-421.awsdns-52.com.
github.com. 172800 IN NS ns-1707.awsdns-21.co.uk.
github.com. 172800 IN NS ns-1283.awsdns-32.org.
github.com. 172800 IN NS dns1.p08.nsone.net.
github.com. 172800 IN NS dns2.p08.nsone.net.
github.com. 172800 IN NS dns3.p08.nsone.net.
github.com. 172800 IN NS dns4.p08.nsone.net.
Next, suppose an A record needs to be resolved, unbound is going to ask one of them for the final answer:
pi@ph5b:~ $ dig +noall +answer @ns-520.awsdns-01.net. a github.com
github.com. 60 IN A 140.82.121.4
Hope this can narrow the field a bit.