The Flags field on the packet is "0x8020." The "0x20" in the second byte of the flag indicates that the answer is authenticated using Domain Name System Security Protocol (DNSSEC). By default the security gateway drops packets with DNSSEC.
RFC 1035 states, the "Z" (zero) flag of the DNS message header is defined as "Reserved for future" use. Must be zero in all queries and responses." However, RFC 2535 provides for the use of two of the three Z-flag bits. Those bits are considered DNS security bits. Packets with those two bits are an integral part of many server connections.
RFC 1035: "Domain names - implementation and specification".
RFC 2535: "Domain Name System Security Extension".