on a 2766 Vigor.. and I can see drops in the firewall log for DNS from a high-port.. but no associated rule number - so if a firewall drop just shows '[Session], what part of the firewall is dropping it? (particularly as I allow outbound DNS). I've checked https://draytek.co.uk/support/guides/kb-vigor-syslog-firewall and it doesn't explain?

Jan 1 22:23:26 gateway DrayTek: [Firewall][Block][Session][192.168.1.253:38411->84.53.139.192:53]

so what's dropping DNS in this case? (the .253 address is on the internal lan). It's probably user error - I'll put my hand up to that in advance!

I think the guide's out of date or doesn't cover that, but it says session so that should be a session limit. But the router supports 50,000 sessions so it should not be that? Quickest way to check is go to [Firewall] > [General Setup] - Default Rule tab and see the session count there.

The random source port and defined destination port means it's just an outgoing DNS request, maybe try recreating that in the [Firewall] > [Diagnose] to see if that's allowed?

My understanding is the 84.53.139.192:53 has been blocked by a selection in your firewall setup. A whois check shows 84.53.139.192:53 is akami.com, a cloud service. Used as CDN content delivery service. My limited understanding these are servers that cache web pages for various companies to speed up loading of there pages. Do use use CYREN app on the router?

Thanks guys, I'll check the max sessions info and will try the rule simulator.. I don't use any of the Content blocking services, so it's find out what this is otherwise will wipe the router and rebuild it as I test after each new rule.. a process I'd prefer to avoid!

Okay, so tracked it down - obvious in hindsight.

under Bandwidth Management / IPv4 Default Max Sessions =100 was ticked - also explains why it was being dropped with [Session]. No doubt that was my error at some point!

Thanks for the pointers!