Thanks for the feedback! I think I may have a working solution now. I moved my domain over to lan.my-domain.net and added a custom option in the pfSense resolver to keep the lan subdomain internal by replying with NXDOMAIN:
server:
local-zone: "lan.my-domain.net" static
Super weird that this is still an issue 4 years after people started complaining. I can’t imagine I’m the only one to use my external domain as my internal domain and using Kubernetes 