It may happen if lets say the firewall received a larger packet and after encapsulation, the MTU size is greater than what the interface can support. And lets say this is for TCP packet where the DF bit has been set.
In that case, the firewall finds it can not fragment the packet and it may cause the firewall to drop these packets at that point.
For DNS however, its UDP traffic where such flags do not come into the picture so I don't really think thats going to apply.
I think its probably more beneficial for you to run some debugs (on the firewall) when you are doing an nslookup.
Thats going to tell you exactly where the DNS request was sent eg did the firewall drop the request or anything.