Actually TCP/53 out is almost always allowed. Too many
things break if you block TCP/53 out. Similarly TCP to
recursive servers is almost always allowed because blocking
it breaks too many things.
Recursive nameservers generally deal with stupid firewalls
by adjusting how they make their queries.
EDNS0@4096 -> EDNS0@512 -> plain DNS.
Stub resolvers generally don't do EDNS so the are not
impacted by stupid firewalls. This will changes as DNSSEC
processing moves into the application.
A EDNS referral from the root servers to the COM servers
already exceeded 512 bytes. The world hasn't fallen over.
That's dealt with that myth.
Mark