I'm using use-ip-firewall on bridges and if I add any NAT rule that affects traffic on bridge it basically gets blackholed. Why is that? It only happens when there's no IP address on bridge. Would bridge NAT work in such scenario? I want to redirect port 53 to local DNS server on bridge level since I'm dropping any DNS traffic not destined to LAN on bridge firewalls so it doesn't reach core router which would normally perform NAT.

Concur with the approach of simply stating the requirements in terms of desired functionality users will experience without mention of config/settings.
I have users x and users y, I want to ensure that users X access the internet with the following limitations...................., I want to ensure users y acccess the internet with the following limitations..............
Having an understanding of the requirements without clouding the issue with router setting you may or may not be using (either correctly or appropriately) is optimal to get you to a working useful solution!!

Concur with the approach of simply stating the requirements in terms of desired functionality users will experience without mention of config/settings.
I have users x and users y, I want to ensure that users X access the internet with the following limitations...................., I want to ensure users y acccess the internet with the following limitations..............
Having an understanding of the requirements without clouding the issue with router setting you may or may not be using (either correctly or appropriately) is optimal to get you to a working useful solution!!

I personally have disabled DNS from DHCP on all my devices because I don't trust ISP DNS servers which are often given by DHCP in most of networks - either directly or indirectly since gateway forwards to ISP servers (starting from fact that they're censored). It's almost never good idea to allow for ISP DNS servers so I try to force 3rd party DNS servers wherever possible. That said this network has DNSSec & DNSEnc enabled caching DNS server forwarding to 8.8.8.8 and I don't want users to send requests to 8.8.8.8 (or in fact any non-DNSSec/DNSEnc enabled server) directly. That's why I want to redirect to local, protected DNS and I don't want users who disallowed DNS from DHCP (including myself lol) to have issues with connectivity.

I use such setup for years however now I noticed issue for the first time since firewall blocks packets only after second bridge (so it works properly for all APs working as bridges that are connected directly to core router but now for the first time I used more than 1 firewalled bridge along the path and it drops packets to 8.8.8.8 when using my usual config)

If there is no IP address on an interface, then NAT cannot translate.

If there is no IP address on an interface, then NAT cannot translate.

What are security implications of adding 'dummy' IP address (eg. 1.2.3.4) on interface that is supposed to work as pure L2 bridge, with drop all input on firewall, just to allow for NAT?