Why do DNS queries fail after activating SRP?

If you are using Sophos antivirus, and want to do application whitelisting with Software Restriction Policy (SRP) or Applocker, watch out for this pitfall:

If you configure SRP to apply to all files (not just executables, but also DLL libraries), then you must allow the directory
C:\ProgramData\Sophos\Web Intelligence

Otherwise for whatever reason Windows will not see any DNS replies any more. You can still ping and otherwise reach the whole Internet as long as you use IP addresses, but everything which uses domain names will fail.

Note that you should not simply allow the whole directory
C:\ProgramData
because every user has permission to create subdirectories there.

You should also not allow the whole directory
C:\ProgramData\Sophos
because every user has write permission in its subdirectory
C:\ProgramData\Sophos\Remote Management System

Why does Sophos intercept DNS replies?
And why do they place a DLL file in a Data directory?

See also more info about SRP