I am using Unbound which is drawing information on startup from the a-to-m-root-servers dot net.
The problem is that the return UDP packets are cut off at 548 bytes and Wireshark is signaling them as malformed.
So I changed the MTU of the l2tp/ipsec and whendid not help also the edns in the config to 512 and not did solve it. The default MTU of the l2tp/ipsec is 1280.
A strage thing is that there are UDP packets are coming in that are much bigger but those are not coming from root-servers. Secondly I expected that a fallback would be happening to TCP, if the packets are fragmented.
I am now keeping the traffic to root-servers outside the VPN but would like that traffic to then is also over VPN.