this did the trick for me, though i dont agree as asserted that it is "definitely not a bug" ... my logic dictates it is most CERTAINLY a bug, as you would think that you would only unblock certain countries which housed the website (discernible by the IP once the dns host is looked up)
so, for example, i would expect to "not block afghanistan" for all requests going to yellow-brick.com, meaning if yellow-brick ever housed the site elsewhere, or mirrored it with redundant servers etc, then the exception would fail to work.
you dont want to unblock all countries for 1 web url, if for example dns poisoning was used to redirect traffic for ...say ...google.com to a country they otherwise dont have a server in, for the purpose of infecting machines, then leaving all countries unchecked seems like it would allow traffic to all countries where google.com dns lookup said it lived
You are not unblocking a Country, just skipping country check for the desired request that are coming from your internal network.
As you can see in attached print-screen government.nl is still blocked.
And keep in mind, I only allow port 53 only for google dns service in Firewall rule. (if the user don't want the dns from DHCP)