Should I explicitly allow DHCP trough the Firewall?

I have an EdgeRouter X configured with VLANs and Zone-Policies as described in this article: https://help.ubnt.com/hc/en-us/articles/204952154-EdgeMAX-Zone-Policy-CLI-Example

Let's say we have a LAN, DMZ, WAN and Local zones. A DHCP service is configured to assign IP addresses on the LAN and DMZ zones / subnets. The WAN interface gets its IP address from the ISP using DHCP.

The zones are:

LAN-Local:
1. Allow established
2. Drop invalid
3. Allow ICMP
4. Allow DNS
5. Allow DHCP
6. Allow SSH
D: Drop

Local-LAN:
1. Allow established
2. Drop invalid
3. Allow ICMP
D: Drop

LAN-DMZ:
1. Allow established
2. Drop invalid
3. Allow ICMP
D: Drop

DMZ-LAN:
1. Allow established
2. Drop invalid
D: Drop

LAN-WAN:
1. Allow established
2. Drop invalid
3. Allow ICMP
4. Allow HTTP / HTTPS
D: Drop

WAN-LAN:
1. Allow established
2. Drop invalid
D: Drop

DMZ-Local:
1. Allow established
2. Drop invalid
3. Allow DNS
D: Drop

Local-DMZ:
1. Allow established
2. Drop invalid
3. Allow ICMP
D: Drop

DMZ-WAN:
1. Allow established
2. Drop invalid
3. Allow HTTP / HTTPS
D: Drop

WAN-DMZ:
1. Allow established
2. Drop invalid
D: Drop

WAN-Local:
1. Allow established
2. Drop invalid
D: Drop

Local-WAN:
1. Allow established
2. Drop invalid
3. Allow DNS
4. Allow NTP 
D: Drop

Sorry for the lengthly zone description.

My problem is DHCP. Clients on the LAN get their DHCP adresses correctly. I would expect this since the LAN-Local zone rule allows this. Where it gets crazy is that clients on the DMZ also get a DHCP address!!! So why does this happen? Yes, there is a DHCP service configured to handle the DMZ subnet. But this should be a separate VLAN. And no firewall rule should allow DHCP traffic from the DMZ to Local.

So, is the DHCP service above the firewall and DHCP traffic is always routed to the DHCP service independent of the firewall? Or have I made a mistake in my firewall setup? And how do I debug this?

A secondary, again DHCP related question is, how does the WAN interface gets its IP address? There is no rule in the Local-WAN ruleset that permits DHCP. Somehow the WAN interface (eth0) manages to get an IP address from the ISP's DHCP server. Again, is there some magic regarding this or simply a bug in my firewall setup?

The reason I discovered this is that I am seeing DHCP related messages in the log:

router dhclient: dhclient.c:2164: Failed to send 300 byte long packet over fallback interface.
router dhclient: send_packet: Operation not permitted

Thanks!