Referring to the original problem in this thread, the problem for me was not DNS related I do not think.
We had AP's set up in two different locations with same access rules for guest network. However on one network as soon as rules were added (specifically allow http/s except to local subnet) the AP behaved differently, it did not send Guest Wifi traffic directly from the AP's static IP address any longer, but from the Guest device from DHCP range 172.24.31.*. This meant the firewall was blocking the Aruba's Guest devices on this ip range. This was not happening on the first Guest network I set up in the same way.
I compared the set up on both networks and could not find any difference which would cause this, in the end I changed the structure of the access rules to deny each of the corporate subnets and then allow everything esle as opposed to the 'allow http except to network ....'. So the Aruba AP was NAT'ing the Guest devices on one network but not on the other (I think)
Not sure why one network worked differently to another but the new access rules seems to work in all 3 locations so far.