Oh, I see what you're referring to now. When 127.0.0.1 fails, it tries the next server at 1.1.1.1#53, which should have been 1.1.1.1#853. Could that be a pfsense bug because I have it set up exactly as described in that post. Or perhaps just a side effect of trying nslookup on the pfsense box, which has 3 ips listed (although the cloudflare ones really should be tls only, not udp over 53)
The status page for dns resolver clearly shows that it is set up to use tls over port 853.
When I follow step 3 from that post and go to diagnostics/states and filter for 1.1.1.1, I see tcp 853, and
Also checked packet capture and see the dns requests go to cloudflare on port 853
Just an update, as of today, 127.0.0.1 on pfsense resolves nvidiagrid.net. I'm thinking perhaps nvidia had some configuration issue on their dns. But then again, it baffles me why direct queries to 1.1.1.1 over tls resolved, whereas dns resolver forwarded requests to it failed.