@gpinzone
?
Have a look at a DNS packet unbound receives on the pfSense LAN port. Yep, that will be an Ethernet packet. As filter criteria, set up port 53, and use the IP of your device.
As soon as you have one, inspect it. This is technology of the years 60 and 70, last century, so quiet simple.
You will find out quickly there is a source IP, destination IP, source port, destination port, and a 'word' with 16 or so bits that tells what kind of packet it is (like UDP - the packet number etc) and a time stamp.
There is no information that tells unbound "what program" made or send this packet ***
So, unbound on pfSense can not know that the packet creating program was a 'browser' (or a mail client, or command line tool, or a file server, or a mail server, or whatever program) that wants to communication over the Internet.
With some very nifty comparing you could speculate what OS made the packet. Programs exist to do this kind of detecting. Unbound can't do that.
What you can do : tell your browser to do its own DNS, so addresses itself direcly to, for example, 8.8.8.8 or a "canary" solution.