We don't discriminate on packet sizes of any UDP or DNS. By "some firewall programs", what they're specifically referring to there is the old Cisco PIX/ASA default limit of 512 bytes on DNS requests. Almost every PIX config we see has that broken so it's undoubtedly caused numerous issues along those lines. If you're using the DNS forwarder, we default to dnsmasq's default of 4096 for --edns-packet-max, the recommended value per RFC 5625. If your Windows server does its own recursive lookups, there is no limit induced by the firewall.