Why do DNS queries fail after activating SRP?

If you are using Sophos antivirus, and want to do application whitelisting with Software Restriction Policy (SRP) or Applocker, watch out for this pitfall:

If you configure SRP to apply to all files (not just executables, but also DLL libraries), then you must allow the directory
C:\ProgramData\Sophos

Otherwise for whatever reason Windows will not see any DNS replies any more. You can still ping and otherwise reach the whole Internet as long as you use IP addresses, but everything which uses domain names will fail.

Note that you should not simply allow the whole directory
C:\ProgramData
because every user has permission to create subdirectories there.

In the past it was sufficient to allow the directory
C:\ProgramData\Sophos\Web Intelligence
but that subdirectory does no longer exist, and the problematic DLL is now somewhere else.

Why does Sophos place a DLL file in a Data directory?
Why does Windows not log SRP lockouts of this DLL in the Event Viewer?

See also more info about SRP