Argh! I wasted a lot of time on this one before finding the solution.
The problem is similar to yours...
I'm using the latest version of pfsense... I have a pfsense on site #1 whose domain is home.arpa. I have another pfsense on site #2 whose domain is s2.home.arpa. IOf course, I want pfsense from site #2 to send DNS queries for home.arpa to the pfsense on site #1.
No matter the request sent, I got an "NXDOMAIN" with nobody.invalid in the AUTHORITY section.
I discovered that this is normal behavior for "unbound" (the DNS resolver). The solution is to indicate that the "home.arpa" domain should be set to nodefault... as indicated in the /usr/local/etc/unbound/unbound.conf file. However, I discovered that modifying this file won't help because pfsense does not use it.
I was finally able to succeed by performing the following procedure, in DNS Resolver/General Settings...
1- Display the customs options and add the following 2 lines (do a copy/paste to make sure it's OK)...
server:
local-zone: "home.arpa." nodefault
2- In the "Domain Overrides" section, specify the pfsense IP address of site #1 as the DNS server for the "home.arpa" domain
3- Restart the DNS resolver (or reboot pfsense))
In my case, omitting step #2 (Domain Overrides) prevents the solution from working even if, in the pfsense on site #2, the pfsense IP address in site #1 is indicated in "General settings" and "DNS query forwarding" is activated.
You can see the result in /var/unbound/unbound.conf
Hope it helps !