Yea...personally, it seems like firewall is behaving like it should. You know what I did @SG22 ...since we spoke about 25 mins ago, I logged into 2 customers' environments and did exact same commands with their internal DNS servers and output was literally the same, no drops related to port 53 and also curl_cli gave correct output as well.
Since you mentioned there was power outage about 2 weeks ago, I have a feeling that caused this problem, if it started happening right after. Now, tracing it to specific "culprit" might be a bit of a challenge. Personally, though I know this would be a drag to do in big environments, I would start by process of elimination...so whatever device is eliminated as a problem, there is less things left to be cause of the issue.