Greetings from SensorFu and thanks for a good question! Sending DNS query via broadcast is a hack to escape from isolated environments and it takes advantage of operating system IP-stack's shortcomings. Since this is probably not conforming to any specifications anything could happen.

I'd say return channel might work and it depends on the device used to exfiltrate out. In case of proper DNS server like Active Directory mentioned in the article it's likely that it could work. But we have not yet done testing.

We have also seen devices that are not DNS servers and still just forward broadcast packets from one network interface to another. In such case the return channel might not be possible.