Everything does appear to be configured correctly and m.xhamster.com is being blocked when using the default DNS servers. Direct access to OpenDNS (208.67.222.222) on port 53 is being blocked; however, a nslookup to a third party DNS provider Level3 (4.2.2.1) was able to complete successfully and return the IP for m.xhamster.com. 

Results for: nslookup m.xhamster.com. 4.2.2.1
stdout:
Server:  a.resolvers.level3.net
Address:  4.2.2.1
Name:    m.xhamster.com
Addresses:  2a02:b48:4000:1::4248
	  2a02:b48:4000:1::4247
	  2a02:b48:4000:1::4246
	  2a02:b48:4000:1::4249
	  88.208.24.59
	  88.208.24.58
	  88.208.24.56
	  88.208.24.57

 This indicates that it may be possible to use a different DNS server manually configured on a device and that the firewall isn't blocking other DNS providers like its expected to. You did say you opened up port 53 - and you should see this allowed DNS request for m.xhamster.com resolving unblocked to 4.2.2.1. 

See results at https://opendnsupdate.appspot.com/d/5981648734650368

I did a second test.  Not sure why direct access to 208.67.222.222 would be blocked.  Maybe I opened 53 up after I started the test.

Looking now the fw hasn't blocked any traffic.

Once I have this sorted I'll lock down 53 again to prevent people from using a 3rd party DNS.

I haven't got to the bottom of this yet but it is related to my ISP.  Via my normal ISP I have the problem but when I used my phone to provide internet to my laptop OpenDNS blocked all 3 sites as expected.

I probably won't get a chance to fix this until November as I'm just about to go on holiday.

Thanks for all the help!

"I haven't got to the bottom of this yet but it is related to my ISP."

There may be a mismatch between your IP address used to send DNS traffic and your IP address used to send HTTP traffic.

Your DNS IP address:    nslookup myip.opendns.com.
Your web IP address:     http://myip.dnsomatic.com/

Are those different?

Or is your ISP using a proxy or cache or NAT? 
http://www.lagado.com/proxy-test 
http://www.lagado.com/tools/cache-test

"Via my normal ISP I have the problem but when I used my phone to provide internet to my laptop OpenDNS blocked all 3 sites as expected."

Chances are, your IP address registered to your account is the Phone IP address rather than the ISP Internet IP address. Your current registered IP is 222.154.X.X. Is this what you see when visiting http://myip.dnsomatic.com from your ISP connection? If not, then your Phone IP is registered to your account. Since you don't have an active Updater client, this would result in only your phone connection being filtered and your ISP connection isn't being touched. 

The other possibility is the one with the ISP issue that has been discussed above, which would take some more work to resolve. 

"Chances are, your IP address registered to your account is the Phone IP address rather than the ISP Internet IP address."

Nah, It is my usual internet provider.  When I tried the domains with my phone instead of the OpenDNS block page it went to the mobile companys main page but in the URL I could see the category tags that the www site would of been taged with.

Thanks for your help everyone.

My phone is with Vodafone in NZ and Telecom provide the main house line.  When I go to the domain on my phone it's being redirected to the main Vodafone.co.nz www page and in the URL I can see the category tags that would be associated with the domain.  I did change the phone connection to the OpenDNS IPs so maybe Vodafone subscribe.

Telecom provide Internet and phone to the house over ADSL.  I rang them yesterday to ask about any issues with caching and they tried to say it's probably an issue with my ADSL-modem and said they doubt it's an issue with any upstream cache.

So perhaps 2 issues.

1) dnsomatic.com returned a different IP to my Telecom static IP.  222.153.122.196 from dnsomatic and 222.154.235.3 from the nslookup.  The 2nd IP address here is the static one assigned to my house.  If I reload this page a few times then I get the 2nd IP address.

2) It looks like I failed the cache-test.  I got the same ID from the page after clearing my cache, I also got the same ID again when I tried it from a different PC that is attached directly to the ADSL modem whereas my laptop is behind PFSense.

Yes, the trend with possibly different web and DNS IP addresses and the cache test confirm that your ISP is using caching technology.  This is well known for NZ and has been discussed a lot in the old forums https://forums.opendns.com/ a lot already.  Because NZ is pretty isolated from the rest of the world from a network perspective, it would be hard and slow to surf the internet without this caching technology.

That said, it is the IP address returned from "nslookup myip.opendns.com." which must be registered at https://dashboard.opendns.com/settings/ for your content filtering and the stats taking effect.  And it is the IP address from http://myip.dnsomatic.com/ which must be registered for your customization of block pages taking effect.

Because these are different, you have the choice to e.g. not to use customization of block pages or to manage a second OpenDNS network, one with your DNS IP address and one with your web IP address.

This is the best bet you have, and you are still not be able to consistently see the results you expect from your use of OpenDNS.  This is because of your ISP's caching.  For example, if you have example.com blocked and your browser requests it, then your ISP analyses this, and if they just have example.com in their cache by chance, they'll present it to you without loading the content from the original site example.com and regardless of the DNS query result, and your OpenDNS settings are simply disregarded in this case.

To go back to your original problem, this is certainly the case with m.xhamster.com too where many of your ISP's customers may visit it with their smartphones, so it's almost in your ISP's cache.

You may ask your ISP if there is a possibility to opt out from caching.  Please note that this may significantly slow down your internet speed, but you would be able to use OpenDNS consistently then.

Is there anything I can do inside my LAN to work around this ?

I agree that removing myself from the cache might be worse.

No, you can't do anything inside your LAN, because this is not where the problem is.

Ah wait, it depends on what you want to achieve within your LAN.  You could use the local hosts file on each device to block domains as you want, in addition to OpenDNS.  The hosts file has priority over DNS.

https://startpage.com/do/search?q=hosts+file+block

You can also add domains to the blacklist in most browsers.  Or you could run an internal DNS server or proxy server to filter content yourself.

I've found a fix for the domain in question.

PFSense has a DNS forwarder which allows you to resolve "local" hostnames before going out the OpenDNS servers.  There are options to override a domain and send it to a different DNS server.  I've used this option and put in a fake 192.168.x.x IP address.  This causes any traffic to that domain to timeout.

While not perfect at least I have a way to plug any holes I find.

Thanks again for all your help.

Would DNSCcrypt help my situation at all ?

Would that be enough to side step my ISP intercepting requests.

No, as I said, your ISP doesn't care about your DNS queries, no matter if encrypted or not.  They look after the URL to see if they have that in the cache and disregard any DNS in this case.  Only if its not in the cache, they load it from the original site, using your DNS query result.  That said, the interception is not at the DNS level, but at the HTTP/HTTPS level.  And exactly this is the problem.