pfSense

Looks like host overrides might need some adjustments with dnsmasq 2.79. It is not in builds yet but once master switches to the new quarterly branch it will be there.

From the Change Log

Always return a SERVFAIL answer to DNS queries without the
recursion desired bit set, UNLESS acting as an authoritative
DNS server. This avoids a potential route to cache snooping.

And from FreeBSD-ports UPDATING:

20180319:
AFFECTS: users of dns/dnsmasq
AUTHOR: mandree@FreeBSD.org

Note that with dnsmasq 2.79, some parts of the interface have changed in an
incompatible way versus previous versions. This comprises changed recursion
behaviour, signature support, a change for SIGINT (vs. SIGHUP) behaviour.

Note especially that dnsmasq will no longer answer non-recursive queries
unless it is marked authoritative! Be sure to see the manual page for the
various --auth-* options, such as --auth-zone.

Please see the CHANGELOG that ships with dnsmasq for details.