If a segment security profile has any of the features enabled as in the below screenshot, the default behavior in NSX 3.2.3 is that the DHCP sever Block will automatically be applied.

You will see the output on CLI as follows:

Executing:: nsxdp-cli swsec get config --dvport <dv-portid>--dvs-alias <DVS-Name>
Features Enabled : DHCP snooping,ARP snooping,BPDU Filter (Bitmap=0x7fffffff),DHCP server block,DHCPv6 server block

NSX 3.2.3

The issue is resolved in NSX 4.2.X

The workaround is to create a new segment security profile with all features disabled. This will ensure the DHCP block is not automatically enabled.