class firewall::rules::out::dns (
  String $ipset = 'dns_resolver',
  Array[Stdlib::Port] $ports = [53],
) {

  $ports.each |$port| {
    nftables::rule { "default_out-dns_udp_${port}":
      content => "udp dport ${port} ip daddr @${ipset} accept",
    }
    nftables::rule { "default_out-dns_tcp_${port}":
      content => "tcp dport ${port} ip daddr @${ipset} accept",
    }
  }
}