Cisco

How to properly configure acl between vlan?

Hello, given the network 10.1.0.0/16 and the scheme:

Required:
1. Allow vlan2 to request and receive configuration via dhcp
2. Allow vlan2 to make a request to dns for name resolution and receive a response
3. Allow vlan2 any traffic to any destination (for example, web- server ya.ru), except for 10.1.0.0/16 (for example, to vlan3 any traffic should be prohibited).
What I tried to do:

ip access-list extended mylist
 permit udp any host 255.255.255.255 eq bootps
 permit udp any host 10.1.254.4 eq domain
 deny ip any 10.1.0.0 0.0.255.255
 permit ip any any
!
int vlan2
 ip access-group mylist out
!

As a result, the PC from vlan2 receives the configuration via dhcp, but does not receive a response from the ya.ru web server via http and icmp. Contacted by fqdn and ip. Without the use of acl, the web server is naturally accessible.
PS As an answer, I would like to see the correct acl, without recommendations for network optimization, and other unnecessary text, except for the acl itself =)