So your pathway is:
LAN -> fw -> pi-hole -> DNS and return.
If you do a dig +dnssec www.wikipedia.org @10.0.0.3 or dig +dnssec www.wikipedia.org from the FW the pathway according to your Domain Name System ends up being the same. The only difference is that the second one starts querying the local DNS cache first.
This means you should probably flush the cache on the FW
unbound-control -c /var/unbound/unbound.conf reload
Not sure if that actually clears the DNS cache or just restarts unbound, so I guess you can
unbound-control flush www.wikipedia.org
if you only want to do that domain only and/or for everything
unbound-control flush_zone .
There is a . dot at the end ^
Check your pi-hole 
…not meant the way it reads 
… it might be using unbound as well.