said by gwion:
Typically, you will not need to allow TCP connections to or from remote port 53, unless you are using specific applications that query nameservers directly.
No, you really need both. Normally, replies to DNS requests will come over
UDP port 53, as stated above. However, if the reply size is greater than the size of a single UDP packet, the response will instead come via
TCP port 53, even for "normal" requests from applications.