MX Record Theories

Actually TCP/53 out is almost always allowed. Too many
  things break if you block TCP/53 out. Similarly TCP to
  recursive servers is almost always allowed because blocking
  it breaks too many things.

  Recursive nameservers generally deal with stupid firewalls
  by adjusting how they make their queries.

    EDNS0@4096 -> EDNS0@512 -> plain DNS.

  Stub resolvers generally don't do EDNS so the are not
  impacted by stupid firewalls. This will changes as DNSSEC
  processing moves into the application.

  A EDNS referral from the root servers to the COM servers
  already exceeded 512 bytes. The world hasn't fallen over.

  That's dealt with that myth.