Forcing all DNS traffic from the LAN to the firewall

DNS has always been designed to use both UDP and TCP port 53, with UDP being the default, and fall back to using TCP.
If --protocol remains undefined, then all port 53 on any protocol will be redirected.

The first ACCEPT is to let the firewall know that the mentioned IP can send directly and does not get redirected.
The second entry defines the REDIRECT, to the FW (and it decides which DNS to us), instead to the destination DNS the workstation wants to us.

What are you asking that I am missing?