# Block all DNS traffic
block return out proto { tcp, udp } to port 53 flags any no state

# Allow our DNS servers
table <dnsaddr> {}
pass out proto { tcp, udp } to <dnsaddr> port 53 flags any no state