This is an interesting question. My input will probably add more woes rather than resolve your query but it might be useful.
I’ve setup my network to use 3 sets of DNS servers; my guest network uses Quad9 set in the DHCP server, my VPN network uses Air DNS servers in DNS Resolver so DNS queries stay in the VPN tunnel of my VPN provider and I use Cloudflare in DNS Forwarder for my other networks.
When I originally set up PfSense I am certain all DNS queries resolved as expected. Mainly I’m concerned that I don’t have any leaks on my VPN network for my Linux ISO downloads ;-). When I do a DNSleaktest it passes.
However, I later setup pfblocker and this made some changes which I have to admit I don’t fully understand, but I know queries go through this to block those IP addresses passing the ads. I need to investigate this further but it seems to work ok.
The way I approached the firewall rules was to block everything first, then add rules to achieve my objective. Going the other way I found was difficult to determine whether my network was secure or not.
The thing with PfSense that I have found is that in order to get 1 thing to work 3 other things have to be configured correctly. Trial and error is your friend !