I just stumbled across this while figuring out why websites were inaccessible on my Qubes installation:

The firewall currently allows UDP traffic on port 53 for the purpose of DNS queries, but does not allow TCP traffic on port 53 (commonly used for DNS Zone transfers, but also for queries with a response over 512 bytes that would otherwise be truncated.

Is there a reason why the Qubes firewall defaults to only UDP, or can I safely make this adjustment?