Keep TLS, no need for UDP.
Seems like it’s the same problem I had with my VF cable connection → DHCP client on red0 won't reassign IP upon reconnection - #25 by angrytux
I named it check_red.sh and a cronjob checks if red is down. If that’s the case ipfire handles a reconnect. Cronjob: */15 * * * * /root/check_red.sh
It takes a few minutes and all works again, including dns.