Well, I'm only blocking forwarded TCP packets from the LAN at this point. All forwarded UDP packets are allowed to pass through, and all outbound traffic (TCP or UDP) that originates from the gateway itself is allowed. The lookup for the script would fall into the latter, would it not? DNS resolution is working fine on the gateway.... it's just not working in my script.

Nevertheless, i tried adding an explicit rule for outbound DNS, but it didn't change the result. I had a quick peek at the script IchNiSan linked to, and I think I may be able to work with that. I will have to spend some time dissecting what it does. In the meantime, the issue remains unresolved. No pun intended.