I'm the OP, and following up my own posting with the results (and a small rant).
When I created a new, separate rule that passed UDP and TCP for port 53 only, things appeared to start working, and I see no more blocked domain traffic. Although I was certain I did exactly this earlier (or the equivalent), since nothing else changed, I have to assume it was a case of PEBKAC. It wouldn't be the first time, nor likely the last... Again, as far as I know the blocked packets I was seeing were always TCP, since the tcpdump of pflog adds "udp port xxx" to udp packets going through it and none of the blocked ones I saw had that. But maybe that's a problem with tcpdump, I don't know. For everyone who answered civily, and provided thoughtful and helpful information, my thanks; it's much appreciated. Thanks! For everyone else who whined like a spoiled child that I hadn't provided my entire ruleset in the very first posting: get a life. Are you here just to pump your fragile ego, or to actually answer questions? I was posting an extremely specific query that related to whether I was understanding one particular concept properly. I provided what I thought was the essential information to answer that query (specifically, the blocked packet and the rule that I thought should have passed it, in case I was missing something obvious). That seemed like the polite thing to do, and the most considerate of others' time. Certainly I always appreciate it when folks post their questions that way. If more of my pf.conf would have helped provide an answer, asking nicely (as Scott, among others, did) would have been appropriate, not an instant flame. If I had given my whole ruleset right from the start, I *know* someone would have responded with something like, "get lost, we're not here to debug your entire configuration for you". (Believe me, I''ve seen responses exactly like that here before.) Flame those you think are providing too much information and do the same for too little - gee, that's really effective advocacy for your OS of choice. A truism I've found in many fields is that those who are truly secure in their knowledge are usually the kindest and most tolerant of those below them; it's those who are insecure - and always less knowledgable than they want to admit - who need to belittle others.
