In addition to previous post:
Read this thread for best firewall explanation around:
https://community.ubnt.com/t5/EdgeMAX/Layman-s-firewall-explanation/td-p/1436103
Besides dns traffic, you will also need to allow dhcp traffic on VLAN_LOCAL rulesets (udp dest port 67)