SecureXL is using previously cached MAC address (associated with the involved IP address) for accelerated connections sent from Server to Client (in this case, packets sent from the DNS server to the Client).
For F2F packets, the OS is aware that this IP-to-MAC address mapping is stale, so it sends an ARP Request for the IP address and updates the cache with the correct value.
However when SecureXL queries for the MAC address, the ARP Request is not sent. As a result, SecureXL is using previously cached MAC address (associated with the involved IP address).