Hello,
Be rest assured, there are no hidden policies.
Especially considering most of the DNS queries are working, while a few are failing, it is a scale issue mostly, maybe on the firewall maybe not.
> Just to ensure we have the right picture, can you start with a packet-capture for the DNS traffic?
https://kb.juniper.net/InfoCenter/index?page=content&id=KB21563&actp=METADATA
> This will prove if the issue is inded on the firewall
> Simultaneous capture on the client and remote end (over the VPN) if possible will be a plus for correlation
> Are you having a cluster setup or is this a standalone device?
> If its a cluster, if possible try a failover to the other node to eliminate the HW/Datapath
I hope this helps. Regards,
Vikas