Firewall/NAT

I was wondering if someone can help me please.  I have attached a screenshot of my firewall and was wondering if you can explain why my users cannot resolve internet addresses.  I restrict port 53 because I DO NOT want them using their own DNS and I use a paid for DNS service to filter traffic so I have allowed DNS to certain IP's only.  However unless I have a rule in their allowing UDP 53 to anywhere they cannot resolve addresses.

Any help would be greatly appreciated.
(http://www.thefifthrace.com/untitled.jpg)

A better approach would be to create two rules that BLOCK traffic not to the DNS server addresses and port.

Firewall Rules LAN

Rule 1

Action: Block
Interface: LAN
Protocol: TCP/UDP
Source: 10.0.10.0/24 (or LAN net)
Source Port: any
Destination: check not box <-- important ;-)
Type: Single host or alias
Address: 208.67.222.222
Destination port range: 53

Rule 2, as above but change Destination address to the other DNS server IP.

Move these rules to top of list. Apply changes, then reset state.

A simpler way may be to enable the "DNS Forwarder", the make sure the only DNS servers you have in your "General Setup" are those you just listed. Then create a single rule that blocks anyone on the lan side from going outbound DNS. This won't block them from using your local lan DNS forwarder, which piggybacks on top of your general DSN settings. It may solve a lot of configuration headaches this way. I assume you are using the m0n0wall built in DNS?

thanks for that, I will both of these and let you know how it goes