Those are regular Pi-hole internal requests for DNSSEC validation, see also Understanding DNSSEC validation using Pi-hole’s Query Log - nothing to worry about.
Yes, your dig results confirms that to be the case:
The corresponding request did not register in Pi-hole's Query Log (also indicated by the IP returned, which would have been 0.0.0.0 for a default Pi-hole).
As Portmaster seems to be a kind of client-side firewall software(?), it may well be effective in filtering out DNS requests from your machine before it reaches Pi-hole, especially if it would use the same blocklists.
Disabling IPv6 on your RPi that hosts your Pi-hole won't stop your IPv6 capable clients to talk to an alternate IPv6 address for DNS, if and as potentially provided by your router.
If your router would provide public or even link-local IPv6 connectivity, you'd want to verify that it does not advertise an IPv6 DNS server at all, or your Pi-hole host machine's IPv6.
You'd have to consult your router's documentation sources on further details for its IPv6 DNS configuration options.