There’s a new threat in the wild where a single infected machine in your network can harm all other dhcp clients on the same net: A trojan answering to dhcp-requests.
If that trojan is answering faster than your real dhcp-server it will assign some malicious dns-servers to the client that sent out the request. This is making phishing pretty easy but could also lead to the installation of faked updates.
You can find some more information about that trojan at the symantec page.
A way to prevent this using pfsense is to use a firewallrule on your internal networkinterface that is blocking all outbound tcp/udp port 53 (DNS) connections to any destination. Make sure your internal dns-server, that is manually configured and not affected by this dhcp attack, has a pass rule on top of this block rule or if you use the pfsense as dns-forwarder create a rule that grants access to the pfsense ip on port 53 tcp/udp. This way a client with faked dns-server will not be able to resolve dns anymore which will be noticed pretty soon instead of possibly using the malicious dns servers without noticing it.