Then it sends the query to 220.127.116.11 port 53, Google DNS replies to 192.168.88.10 (ignoring NAT for now) port 4145... and now you've accidentally blacklisted Google.
Blacklisting on UDP traffic should not be included in any firewall rules ever, because UDP is connectionless and easily spoofed.
Blacklisting on TCP traffic should only occur for SYN attempts (connection state new) to specific ports, otherwise you risk blacklisting randomly when the OS picks a port that happens to coincide with a blacklisted one.
Good point my friend..BUT ... i'm not using google for DNS resolving...neither my clients on the network.. What i mean is that there is no possible way to send dns requests to google ips .. with connection originating from this specific router or any other router in the internal network.
So .. that was a good hypothesis but unfortunately thats not the case.
I also strongly agree that inbound and forward traffic should be "firewalled" on syn packets. That was a good point.