Diag tool traceroute does not finish

I have been trying to debug very slow DNS lookups with my NextDNS setup which have appeared lately. I am using pfSense as my router running on a x86 box. 

I have tried the diag tool for NextDNS, but it does not run to completion. It appears to get stuck in the first traceroute (to the primary ipv4 address). Here is the redacted log:

-------------------------------------------------------------

Welcome to NextDNS network diagnostic tool.

This tool will download a small binary to capture latency and routing information
regarding the connectivity of your network with NextDNS. In order to perform a
traceroute, root permission is required. You may therefore be asked to provide
your password for sudo.

The source code of this tool is available at https://github.com/nextdns/diag

Do you want to continue? (press enter to accept)
Testing IPv6 connectivity
  available: true
Fetching https://test.nextdns.io
  status: ok
  client: XX.XX.XX.XX <redacted>
  protocol: DOT
  dest IP: 45.90.30.0
  server: zepto-lax-1
Traceroute for primary IPv4 (45.90.28.0)
1 96.120.xxx.xxx 12ms 8ms 9ms <redacted>
    2 24.124.159.189   14ms  10ms   8ms
    3 162.151.78.253    9ms   7ms  12ms
    4   68.86.143.93    9ms   9ms   9ms
    5    4.68.72.105   10ms  12ms  12ms

<and then it hangs out here forever?>

So there appears to be no timeout on the traceroute. If I run traceroute from the command line (FreeBSD) I get a similar result (which means that the actual issue is likely not NextDNS script related):

traceroute 45.90.28.0
traceroute to 45.90.28.0 (45.90.28.0), 64 hops max, 40 byte packets
1 96.120.xx.xxx (96.120.xx.xxx) 13.346 ms 13.642 ms 9.392 ms
 2  24.124.159.189 (24.124.159.189)  13.992 ms  15.952 ms  13.582 ms
3 be-232-rar01.santaclara.ca.sfba.comcast.net (162.151.78.253) 16.483 ms 14.575 ms 11.796 ms
4 be-299-ar01.santaclara.ca.sfba.comcast.net (68.86.143.93) 8.557 ms 18.196 ms 14.603 ms
5 lag-14.ear3.SanJose1.Level3.net (4.68.72.105) 14.752 ms 14.970 ms 10.327 ms
 6  * * *
 7  4.7.18.206 (4.7.18.206)  17.050 ms  12.720 ms  24.252 ms
 8  * * *
 9  * * *
10  * * *
11  * * *

<and so on>

So if the traceroute isn't working, what should I do next? I have used ping.nextdns.io and get reasonable results:

■ vultr-sjc (IPv4)       12 ms  (primary)

  vultr-lax (IPv4)       18 ms

  do-sfo (IPv6)          18 ms

  do-sfo (IPv4)          20 ms

■ vultr-sjc (IPv6)       20 ms  (primary)

  zepto-lax (IPv6)       20 ms

  vultr-lax (IPv6)       21 ms

  anexia-lax (IPv6)      23 ms

■ zepto-lax (IPv4)       25 ms  (secondary)

  frantech-las (IPv6)    27 ms

  one-pdx (IPv4)         29 ms

  vultr-sea (IPv6)       31 ms

  smarthost-las (IPv6)   31 ms

  smarthost-las (IPv4)   32 ms

  vultr-sea (IPv4)       34 ms

  router-phx (IPv4)      35 ms

  frantech-las (IPv4)    35 ms

  anexia-lax (IPv4)      47 ms

■ zepto-iad (IPv6)       76 ms  (secondary)