That’s an interesting observation, I previously used a pi-hole in-conjunction with my Asus router. When I switched over to PfSense, I assumed, apart from the GUI, there would be no difference with using the pi-hole lists in pfblocker. From your experience it looks like not the case.
Whilst in lockdown, I thought I would try to get a deeper understanding of how DNS and OpenVPN really works with respect to being secure. I’m never really sure if I am actually secure or things just seem to work until they don’t.
With respect to your “chicken and egg” situation, I use AirVPN, when I setup the OpenVPN client I use an IP address to their server so there is no need for DNS to establish the tunnel. The DNS resolver is on AirVPN servers, so this seems the most secure with respect to privacy, when I run a DNSSEC check it comes up positive so I ought to be getting legitimate sites.
I’m debating whether I should be passing all traffic through AirVPN, I believe it ought to be the most private but I can’t work out if it is the most secure. Certain email servers and financial sites really don’t like VPNs so I’m trying to workout the best way to mitigate that too. Looks like I’ll have the time.