In a corporate environment you must use only the company DNS internal resolver and they are the only one that should go outside on port 53. This is a basic security measure to detect and block every attempt of DNS tunnelling or exfiltration

Even if you use the internal resolver you could exfiltrate the data.

Yes, but an internal resolver has filtering and must be heavy monitored. If the DNS logs are sent to a SIEM you will be detected quickly

I mean most of the time said company resolvers have a service that block either suspicious requests, or only allow whitelisted domains.

AFWall+ on Android is an example of this - even if an app is blocked, as long as it has Internet permission it can still make DNS requests, allowing for two-way communication despite the firewall.

Is it? Most firewalls I see allow no inbound by default (although all outbound)

I assume they were referring to outbound.

But ideally it'd be blocked and all traffic would go through an internal caching resolver, right? To reduce internal latency and load on outside servers, but also to have records if needed and to block whack requests or responses if needed.

highly detectable though. modern ngfw's are all over this.

And it typically works on captive portals too before payment.