One of the cool features is Host Overrides. This allows one to get pfSense to give back DNS responses that override the typical DNS response; that could be to block certain services, set up testing domains and hosts, or provide local DNS resolution for machines you don't want publically resolved.
For me, a few years ago this stopped working, and I sat on the problem until I had some significant time to dig into it. The full details are on Netgate's forum. This is worth the read if you are facing similar problems and wish to troubleshoot.
The symptoms were that
nslookup commands were working just fine for external hosts,
but when I tried to look up any of my Host Overrides, I didn't get back an answer (instead, I got
missing host or missing domain).
I had a Transparent Zone Type, DNSSEC enabled, and Forwarding Mode enabled (and being disabled didn't help either). Turns out, none of this mattered. Tests with the DNS Resolution Behavior to even ignore remote DNS servers didn't change the symptoms. Nothing on pfSense seemed to explain it, not ACLs, not other resolvers, not pfblocker, not other packages.
Even weirder was if I used
ssh to get onto the pfSense box itself, doing the same DNS lookups there
caused it to properly honor the Host Overrides. It was acting as if pfSense was ignoring Host Overrides
for downstream devices. Acting, it turns out, was the key word.
The solution started to sort itself out when using pfSense's Diagnostic / Packet Capture against port 53.
When I'd do
digs against my Host Overrides, I'd see no traffic! When I'd do a
dig against google,
I'd see a response ...but not for google!
When DNS Over HTTPS is turned on, the DNS request is forward via HTTPS outside the network, where it's resolve externally — and not at pfSense's DNS Resolver, hence why the Host Override wasn't working and why there was no port traffic to pfSense's DNS.
The Solution was to simply turn off DNS Over HTTPS, and suddenly the DNS requests went to pfSense's Resolver, which happily answered the Host Overrides, and all was well.
The better approach appears to be DNS Over TLS and to let pfSense do it, not an upstream device.