No. It runs in recursor mode and ask the rootservers directly if no server is configured.
The IPFire dns cache can use only upstream servers that support DNSSec. Use the test to check the servers.
That the rDNS fail is normal for a local ip. It will only work for correct registered public IPs. Servers that correct support DNSSec should work still if rDNS is failing.
There are quite a few IPfire forum posts relating to Pi-hole and DNS filtering in general. My understanding is, that Pi-hole effectively breaks DNSSEC and hence is not considered safe. If it it to be used, it should be used inside your network rather than the link to external DNS servers.
From my experience this consisted of using the Pi-hole to point to your IPfire box for DNS (e.g 192.168.100.1) and the IPfire box to point to external DNS (e.g. 9.9.9.9). This then means that the DNSSEC will not be broken until inside your network.
For completeness, using Pi-hole as DHCP worked well for me and also consider adding a firewall rule on IPfire to block devices from making their own external DNS requests.
I’m by no means an expert, just my understanding from other discussions relating to this subject.
If the Pi is not essential for your Setup, you can also do the filtering directly by the IpFire build-in unbound. Mike Kuketz had explained it very well, and his solution works great for about now three years for me.
The URL is: https://www.kuketz-blog.de/dns-adblocker-skript-fuer-ipfire-ipfire-teil2/
It’s an EZPZ setup. Just a script, a Cronjob and (if you need it) a custom Black- and Whitelist.