IPv6 + PD + Sophos DNS Protection (IPv4)

I'm slowly enabling IPv6 on various VLANs to test things out. Two questions:

1. I use Sophos DNS Protection, which only provides IPv4 addresses, though these addresses evidently accept and answer IPv6 queries (i.e. AAAA records, etc). How would I set up the firewall to handle this for IPv6 clients? I'm thinking I could either: a) not give out any IPv6 DNS info to any clients, and lean on them being dual-stack, or b) tell IPv6 clients to use the firewall as their DNS server and set the firewall up to answer IPv6 queries but upstream query only IPv4 Sophos DNS Protection servers.

Are recent dual-stack devices able to figure out they can try IPv6 DNS queries to IPv4 DNS servers and get back IPv6 addresses? Or would option (a) essentially neuter IPv6 on my LAN?

If I try option (b), what IPv6 address do I advertise as the DNS server? I'm using IPv6 DHCP PD, so I guess I would need to use the link-level IPv6 of the connected firewall port? I can't seem to find this in the GUI. (To add some detail: the VLAN in question comes off of an AP6 SSID, and is then bridged with another appliance port. But I also have another VLAN that originates from a different SSID on the same AP6 that is not bridged.)

2. Could Sophos consider allowing Clientless Users by MAC address in addition to IPv4 address? In a small installation, I think it's common to use Clientless Users for almost every device because of the convenient displays and the ability to have rules to require a known User. Clientless users are IPv4 so they don't have to be directly connected to the appliance, and that's good. But IPv6 has so many address moving parts that it would be super-nice to use MAC address to group all the activity of one device.

P.S I hadn't thought of it before, but my ISP changes the PD multiple times a day. The IPv4 address is stable, even though it's DHCP, but the PD changes often. Good for anonymity, I guess, but I wasn't expecting that behavior.