@rlyoxthimer
DNS is UDP. pfBlockerNG may not be fully compatible with altQ
Think of Snort as a traffic shaper. It typically breaks altq links on interfaces it is assigned to.
Match rules don't necessarily match with the quick option and it probably shouldn't be used with matching for altq or limiters.
Try tagging the traffic on the LAN interface, inbound (which means on upload), as a floating match rule, THEN match traffic on the LAN interface with a floating rule for altQ, THEN match traffic on the WAN for altQ. It is confusing because of how states are created and NAT. States are created on the interface they are seen. First on the LAN, and then on the WAN.
Quick rules match first, in order, and non quick rules match on a last-seen match basis, both top-to-bottom on firewall rules.