> Yea but I wonder why PF isn't working here. I didn't see you mention it not working in any of your posts.
What you might notice with the PF workaround is that sites like doxpara think you're vulnerable, because queries to the same name server use the same source port. Queries to different servers will use different source ports. The way to confirm it's working is to watch some DNS packets to different servers with tcpdump.
