unbound send client name to forwarder

securvark

My router has nextdns installed and configured to resolve public domains and do adblocking etc.
pfsense is used for DHCP and local DNS services, and has the router as the forwarder configured.

Everything seems to work, except for 2 things.
When a client queries the router directly, its real hostname shows up in the nextdns logs. When pfSense forwards the query for a client, nextdns logs a random client name. Is it possible for pfSense (unbound) to forward the real client name instead?

Ideally I would want pfsense to handle all DNS, but when I configure unbound to forward directly to Nextdns with the following custom config:

server:
  forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 1.2.3.4#abcdef.dns1.nextdns.io
    forward-addr: 1.2.3.5#abcdef.dns2.nextdns.io

All client info is lost and Next dns only logs pfsense as a client.

Second issue (which I don't believe is pfsense but lets throw it out here just in case), is that when I configure a domain override on nextdns (non-existent domain name to private ip adres), and a client queries the router directly, it gets the private ip back. When pfSense does the query, it comes back with a message that the domain does not exist, but the query does show up in the nextdns logs with the pfsense wan ip. I have this question open with nextdns support as well.