Since you haven't checked "Don't pull routes", the NordVPN gateway will be your default gateway. That means that any traffic including that one from pfSense itself (DNS) is routed to the VPN gateway. However, that won't work, cause you are missing an outbound NAT rule for pfSense.
So either check "Don't pull routes" in the client settings or add an outbound NAT rule for 127.0.0.0/8 to the NordVPN interface.
The outbound NAT solution should avoid DNS leaks.