well host would be a dns query, ping would use your cache or host file.. Did you flush your machines dns cache or do you have something in its host file.
So lets see this query showing the public IP?
What your saying is vs dnsmasq returning what it has in its records (pfsense host file) its returning what the forwarder has for it. I really find that unlikely - but if it is the case it has nothing to do with pfsense and would be the underlaying dnsmasq issue. I have never ever seen this behavior ever in dnsmasq
So lets see this happen.. from a dig – query this fqdn, just keep doing the query - show us when it returns the public vs the local IP.
example
so I created a record for www.cnn.com to point to 1.2.3.4, clearly that is not the right answer.. So if I query pfsense (dnsmasq) it returns 1.2.3.4, if I query a public dns it returns the public records. So what your saying is happening is just keep doing the query to pfsense and at some point it returns the public IP vs the local.
Well do a 100 querys -- how many return local how many return public.. I am betting on 100 out 100 return local and your issue is somewhere on your clients doing query to something else to be honest.
C:>dig www.cnn.com
; <<>> DiG 9.9.5-W1 <<>> www.cnn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31386
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.cnn.com. IN A
;; ANSWER SECTION:
www.cnn.com. 86400 IN A 1.2.3.4
;; Query time: 4 msec
;; SERVER: 192.168.1.253#53(192.168.1.253)
;; WHEN: Sat Apr 05 06:32:27 Central Daylight Time 2014
;; MSG SIZE rcvd: 45
C:>dig @4.2.2.2 www.cnn.com
; <<>> DiG 9.9.5-W1 <<>> @4.2.2.2 www.cnn.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11444
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.cnn.com. IN A
;; ANSWER SECTION:
www.cnn.com. 439 IN CNAME www.cnn.com.vgtf.net.
www.cnn.com.vgtf.net. 37 IN CNAME cnn-56m.gslb.vgtf.net.
cnn-56m.gslb.vgtf.net. 253 IN A 157.166.248.11
cnn-56m.gslb.vgtf.net. 253 IN A 157.166.249.10
cnn-56m.gslb.vgtf.net. 253 IN A 157.166.249.11
cnn-56m.gslb.vgtf.net. 253 IN A 157.166.248.10
;; Query time: 43 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)
;; WHEN: Sat Apr 05 06:32:36 Central Daylight Time 2014
;; MSG SIZE rcvd: 165
C:>
edit: So what I would do as simple test, grap namebench -- run it with simple test for this local record against pfsense and have it query a few times. So here I queried a 1000 times for tha www.cnn.com that I pointed to 1.2.34
ubuntu:~$ namebench -i /tmp/test.dns -S -r 4
namebench 1.3.1 - /tmp/test.dns (automatic) on 2014-04-05 07:56:06.333039
threads=40/2 queries=250 runs=4 timeout=3.5 health_timeout=3.75 servers=11
Reading /tmp/test.dns: /tmp/test.dns (0.0MB)
Generating tests from /tmp/test.dns (1 records, selecting 250 automatic)
in my test.dns file I had only www.cnn.com.. So this reports what your dns server responds with in nice easy to read csv file showing every query and response.
IP Name Test_Num Record Record_Type Duration TTL Answer_Count Response
192.168.1.253 SYS-192.168.1.253 0 www.cnn.com. A 1.610994339 86400 1 1.2.3.4
192.168.1.253 SYS-192.168.1.253 0 www.cnn.com. A 1.846075058 86400 1 1.2.3.4
192.168.1.253 SYS-192.168.1.253 0 www.cnn.com. A 1.757144928 86400 1 1.2.3.4
192.168.1.253 SYS-192.168.1.253 0 www.cnn.com. A 1.523017883 86400 1 1.2.3.4
192.168.1.253 SYS-192.168.1.253 0 www.cnn.com. A 1.521110535 86400 1 1.2.3.4
192.168.1.253 SYS-192.168.1.253 0 www.cnn.com. A 2.447128296 86400 1 1.2.3.4
192.168.1.253 SYS-192.168.1.253 0 www.cnn.com. A 1.616001129 86400 1 1.2.3.4
192.168.1.253 SYS-192.168.1.253 0 www.cnn.com. A 2.111911774 86400 1 1.2.3.4
192.168.1.253 SYS-192.168.1.253 0 www.cnn.com. A 1.528978348 86400 1 1.2.3.4
192.168.1.253 SYS-192.168.1.253 0 www.cnn.com. A 5.592107773 86400 1 1.2.3.4
So 1000 queries - every single one responded with my local record of 1.2.3.4.. I would love to see a test like this from your showing where it responds with the public vs the host over ride you created. So lets run it 10k times.. Man that really beat the shit out of dnsmasq -- but every one still 1.2.3.4.. Dude it is way more likely your just doing a query to something else, or have multiple entries maybe, a host file, etc. then dnsmasq returning public IP when it has a host over ride.