I ran into a fairly similar problem with BIND v9, although I corrected it by adding:
--snip--
query-source address x.x.x.x port 53;
--end--
I'm not sure how you would apply this with tinydns, but I figured this might
point you in the correct direction.
As far as your pf.conf goes, if I were you, I would add before all of my
filters, "block all." Just a suggestion though.
--
Brandon L. Carr
