I have a need to be able to identify which public DNS servers machines in internal networks are using for queries. To clarify, I do not want IPs or names of internal DNS servers or network devices. I need a scriptable way to identify what public servers they are calling to when queries are forwarded.
We have a mail gateway running in a DMZ, which is a relay for our internal mail server holding all the mail. We have come accross the need to use DNS from the DMZ to resolve names of internal services (such as the internal mail server, etc.).
Should we allow DNS queries from the DMZ to LAN? This would result in a serious breach in case some of the DMZ servers were compromised.