It seems that according to tcpdump the answer is normal, but the rest of those who connect slag.
Tcpdump on gateway:
IP 192.168.1.22.54379 > 8.8.8.8.53: 31031+ A? crl.microsoft.com. (35)
IP 192.168.1.1.53 > 192.168.1.22.54379: 31031 4/13/8 CNAME crl.www.ms.akadns.net., CNAME a1363.dscg.akamai.net., A 88.221.132.166, A 88.221.132.175 (507)
On a simple computer:
C:\Users\Admin>nslookup dbcom.ru
DNS request timed out.
timeout was 2 seconds.
Thöthö: UnKnown
Address: 8.8.8.8
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** UnKnown
C:\Users\Admin> request timed out
Rule in ipfw:
${fwadd} 0004 fwd 192.168.1.1,53 tcp from 192.168.0.0/16 to any 53 via ae0
${fwadd} 0005 fwd 192.168. 1.1,53 udp from 192.168.0.0/16 to any 53 via ae0
Then I missed it, but I don’t know what ...

IPFW and DNS server work on the same server, or on different ones?

dst-nat should be done, not fwd
fwd does not change
IP packet addresses 192.168.1.22.54379 > 8.8.8.8.53: 31031+ A? crl.microsoft.com. (35)
computer 1.22 asked 8.8.8.8 - "who is crl.microsoft.com"?
And computer 1.22 responded in the end with 1.1, for some reason... and not 8.8.8.8
IP 192.168.1.1.53 > 192.168.1.22.54379: 31031 4/13/8 CNAME crl.www.ms.akadns.net.
Well, given that the dns server and clients are on the same subnet, you also need to do src-nat