I finally resolved this using the brute force method... I rebuilt the box.
Rather than using a backup I manually recreated my entire config. I had always suspected something had gone wrong with my certificate and cryptographic layer, but was never able to get to the bottom of it. The other symptom I had is that authing over SSH via public key had stopped working as well, while other things, such as HTTPS for the web configurator and my OpenVPN server, still worked correctly. Bizarre.
Coincidence or causation - the one thing I could pinpoint is that the DNS related issues started after installing PFBlockerNG, and unfortunately didn't start working again after I uninstalled it. This all broke some time ago (I think around the initial release of PFSense 2.4) so perhaps there was a bug or incompatibility at the time?
In any case - local DNS caching, DNSSEC, and DNS over TLS all work perfectly now. Sorry this was the resolution if anyone else runs into this :)