It’s more complex than I think.
Things to do as mentioned here.
-
No protection against DoH (DNS over HTTPS port 443)
-
No protection against DoT (DNS over TLS port 853)
-
No blocking of direct DNS queries to non-VPN servers
-
Race condition issues, network up before NFTables rules applied
-
Template updates can introduce leaks
-
NFTables chains can be overwritten by Qubes Firewall service