DNS Forwarder returns internal A record, but also external CNAME

qBaz

I've got several local records set up in the DNS forwarder on my pfSense box, running 1.2.3.  When I query the forwarder, I get the (correct) internal A record, but I also get the CNAME records from outside, which makes accessing internal services a little inconsistent.

In the example shown in the screenshots, the record "vox.baz.org" has an internal A record on the DNS forwarder, and CNAME records in the zone served externally.  When I run "host -v vox.baz.org" I get the following back from the DNS forwarder on the pfSense machine:

Trying "vox.baz.org"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49541
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;vox.baz.org.			IN	A

;; ANSWER SECTION:
vox.baz.org.		0	IN	A	172.17.1.12

Received 45 bytes from 172.17.1.1#53 in 2 ms
Trying "vox.baz.org"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27151
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;vox.baz.org.			IN	AAAA

;; ANSWER SECTION:
vox.baz.org.		81989	IN	CNAME	baz.is-a-geek.net.

;; AUTHORITY SECTION:
is-a-geek.net.		1562	IN	SOA	ns1.dyndns.org. hostmaster.dyndns.org. 2011252371 10800 1800 604800 1800

Received 118 bytes from 172.17.1.1#53 in 20 ms
Trying "vox.baz.org"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19973
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;vox.baz.org.			IN	MX

;; ANSWER SECTION:
vox.baz.org.		81989	IN	CNAME	baz.is-a-geek.net.

;; AUTHORITY SECTION:
is-a-geek.net.		1562	IN	SOA	ns1.dyndns.org. hostmaster.dyndns.org. 2011252371 10800 1800 604800 1800

Received 118 bytes from 172.17.1.1#53 in 18 ms

Seems like it should just return the A record, no?  As memory serves, I believe this behavior cropped up when I upgraded to 1.2.3.