Are you running tcpdump on the same machine that is doing the filtering? You do realize that tcpdump sees the packets as they come from the interface and before they are passed to the filter rules, right?
I had forgotten this important piece of information. Thank you for pointing this out. The packets still seem to be getting through to the BIND daemon, however, because I can still query the box from the Internet.
Does the count field from "iptables -vnL RH-Firewall-1-INPUT" show your REJECT rules being hit?
Yes, the rule gets hit and it returns an answer to the DNS query anyway. I saw it increment from 10 to 11 when I ran the query:
11 692 REJECT udp -- * * 10.100.1.1 0.0.0.0/0 udp dpt:53 reject-with icmp-port-unreachable