I read through your log and your description carefully. In my opinion this is a false positive, and I'll explain why.
The tell is that it survived a full wipe and clean install. Nothing malicious comes back byte-identical from the stock Unraid image, but the OS does, and the OS is all it's flagging. Every CRITICAL is the same process, emhttpd (Unraid's own daemon), plus its normal libraries.
The only thing worth a look is your original UDM alert: check which LAN device did that DNS lookup. The domains are sinkholed anyway.
If you want a second opinion from something more reliable than that heuristic script, run a signature-based scanner. THOR Lite uses curated YARA/IOC rules instead of guesswork and won't light up on stock libraries the way this one did. It's free.
1. Get THOR Lite + license > https://www.nextron-systems.com/thor-lite/
Download the Linux package.
2. Drop the zip and the license.txt onto the appdata share over SMB, i.e. \appdata\thor-lite\.
Then SSH:
cd /mnt/user/appdata/thor-lite
unzip thor-lite-linux_10.7.30.zip #the name of zip
./thor-lite-util update
Then:
./thor-lite-linux-64 --soft \
-p /usr -p /bin -p /sbin -p /lib -p /lib64 \
-p /etc -p /opt -p /root -p /tmp -p /dev/shm -p /var -p /boot \
--htmlfile /mnt/user/appdata/thor-lite/thor_report.html
When it finishes it writes thor_report.html. If you see an Alert/Warning with a real rule name (e.g. a BPFDoor YARA rule), that's worth a closer look.
Based on everything in your log, expect a clean result.
No uninstallation needed, just delete the folder /thor-lite