Help with securing self ip's and forwarding virtual server for a DMZ server using non-http

I have external DNS servers on private IP's in a DMZ vlan. Normally, for servers behind the F5 we just use Automap and the servers default gateway points at the Firewall.

However, we want to see the real source ip's on the server in the logs using our DNS. Likewise we want all the traffic to or from the server to be using the same IP as the VIP. So there is a SNAT defined.

The service virtual server is listening on UDP port 53 only and has Source Address Translation set to None.

The SNAT is configured with the same IP as the main virtual server and the private ip of the dns server.

I have to set the default route of the DNS server to point at the self ip of the F5 that is on the same DMZ VLAN as the dns server

I have static routes on the DNS server for internal networks to point at the firewall

My problem is regulating outbound internet traffic for the DNS server. Currently it's default route is pointing at the Self IP of the same DMZ vlan on the F5 and there is no forwarding virtual server. The Self IP's Port Lockdown mode is set to "Allow none"

However the DNS server still has open access to the internet...and I can see it is using the F5s self ip to simply route traffic out to the internet

The Port Lockdown seems to be ignored and still allows the self ip to route outbound traffic?

I expected to have to create a Forwarding Virtual Server, but there isn't one and yet all outbound traffic is allowed..and I can't do anything about filtering the outbound traffic.

My goal is to limit outbound traffic of the DNS server to just a few destination ports being allowed, with those connections to the internet having the source ip be the same public IP that is in use on the VIP for inbound UDP/53 and on the SNAT.

The DNS server has to use the F5 for the default gateway since I have to allow ANY ip in to resolve DNS from the internet and I need the real source ip's of the internet dns clients in the dns server logs. But I cant just leave the dns server able to initiate connections outbound to anything on the internet.