A DFW allow rule exists using an L7 Context Profile with FQDNs, but the rule is never hit.

VMware NSX - All Versions

• FQDN filtering relies on DNS inspection to dynamically map FQDNs to IP addresses to be used in enforcing the FQDN-based DFW rules.
• Because no L7 DNS rule was configured above the L7 FQDN rule, NSX was not learning FQDN-to-IP mappings from the DNS responses.
• Without the L7 DNS rule, an FQDN-based DFW rule will never be hit. 

Refer to the FQDN Filtering techdoc for the steps to configure FQDN Filtering correctly:

"Set up a L7 DNS context profile rule first , and then the FQDN allowlist or denylist rule below it"