Thank you. I found it very helpful to know that the security risk also changes depending on the options when attaching the device.
I also found out about side-channel attacks, that the risk is different depending on whether the connection between the OS and the device is towards being tighter and stricter, or looser and ‘anyone can use it’…
If you’re up to it (no pressure) I think that listing for those three options, what they do and what threat using them (or not) is meant to mitigate would be a valuable piece of shared knowledge in itself. (Asking for a friend! 
)
And I have one additional note. My Debian did not come with a dig command, but a moderator used a tool called Doggo, which I will install and use for verification.
You can install dig in debian with this command:
sudo apt install dnsutils
ありがとう、インストールできました。いまのところ、PFSenseは1.1.1.1/1.0.0.1のDNS設定、QubesOS側も1.1.1.1/1.0.0.1(ポート53で通信)の設定で通信ができている状態ですが、これを10.139.1.1/10.139.1.2にnameserverを変更した上でdigをしてみました。
画像のとおり、10.139.1.1のところで接続が止まっているようです。おそらくこのアドレスはQubesOSの内部DNSで使われているものだと思うのですが、こちらで何か問題が発生しているのかもしれません。
The Qubes OS virtual DNS servers 10.139.1.1/10.139.1.2 are used by qubes and they are redirected to real DNS servers in sys-net using firewall rules.
So in the end the qubes are using DNS servers that are set in sys-net.
