pfSense

In the pfSense DNS Resolver / Advanced Settings there is a setting for Query Name Minimisation which in the pfSense UI defaults to off.

• Enabling the Query Name Minimisation setting in pfSense UI results in the addition of
  qname-minimisation: yes
  to pfSense unbound.conf as expected.
• If the Query Name Minimisation is disabled in the pfSense UI (default) then the qname-minimisation config line is removed.

However the Unbound default for the qname-minimisation setting is on (refer https://nlnetlabs.nl/documentation/unbound/unbound.conf/)

qname-minimisation: <yes or no>
              Send minimum amount of information to upstream  servers  to  en-
              hance  privacy.   Only send minimum required labels of the QNAME
              and set QTYPE to A when possible.  Best  effort  approach;  full
              QNAME and original QTYPE will be sent when upstream replies with
              a RCODE other than NOERROR, except when receiving NXDOMAIN  from
              a DNSSEC signed zone. Default is yes.

On checking the Unbound release changes documentation the default appears to have changed quite some time ago. This likely impacts both pfSense & pfSense Plus.

Proposed fix: modify the configuration generation logic so that the pfSense UI generates
qname-minimisation: no
for the default setting.

Suggestion: with this change additional logic could also be considered to warn the user that qname-minimisation is not useful when Unbound is configured as a forwarding resolver
(refer https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization)