DNS - forwarded for
Solution 1:
There is RFC 7871 which due to operational and privacy shortcomings does not yet have standards status. It uses an EDNS option which works very similar to X-Forwarded-For with the possibility to only include as many bits of the address as you deem appropriate for your usage case.
Matching this field using a firewall is going to be challenging because it is at the end of the request which means the offset is varying and the packet could be fragmented such that it cannot be identified without first reassembling the packet. Judging from the man page on my machine there seem to be no DNS specific filters in iptables.
Adding the field from a mangling rule in the firewall is going to be even more challenging. Thus you should most likely be looking for an application layer solution rather than a firewall, or avoid sending the packets through NAT.