AWS network-acl blocking nginx dns resolution

I'm trying to lock down ports on my subnets, and am having a problem with an nginx instance that I'm running on ECS.

Traffic comes into the system on :443 to an ELB, which routes some of it to an nginx instance running on ECS, which proxy_pass-es it on to an external www address.

The nginx is set to proxy_pass to a domain name, and it's using an nginx resolver configuration: resolver 8.8.8.8 ipv6=off valid=10s to resolve that to an IP address. The IP is not static, so I have to do this.

However, when I apply my network acl, everything works except for this dns resolution. The nginx returns Bad Gateway responses complaining that my domain could not be resolved (110: Operation timed out).

The network acl is setup to allow all outbound traffic for all protocols, but limits inbound traffic to a specific set of ports.

I've tried adding 53 (UDP and TCP) into the inbound rules, but resolution still fails.

It's important to note that if I allow all inbound traffic then the dns resolution works.

My question is either:

1. What do I need to do to get the nginx resolver working when my network acl is applied?
2. I know that every VPC comes with a DNS server so as to route AWS DNS names to VMs. Could I use that as my resolver instead?

One possible answer is to allow all traffic coming in from 8.8.8.8.

However, it's important to note that some AWS services (like ELBs) use Ephemeral Ports (https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-ephemeral-ports), and these must be open as well.

Granted, they represent a large port range, but as that documentation states, you can always DENY traffic from malicious ports.