What appears to be missing from this discussion is how CheckPoint ISP redundancy proxies the DNS querries for inbound connections...
This has to be configured in the SmartDashboard under your Gateway | Topology | ISP Redundancy | Enable DNS Proxy (see notes below).
Please read the Check Point Help pages in your ISP Redundancy tab [help]
The gateway will intercept inbound DNS querries and for the configured hosts and reply with the "A" record for the preferred ISP link (active/backup) regardless of the DNS Server Priority or TTL.
I typically recommend to clients that they do not try to host thier entire DNS structure. I recommend creating a subordinate zone (aka vdns.yourdomain.com) and have your ISP/DNS provider deligate this DNS zone to your DNS servers. Hosts in this domain would be denoted as
www.vdns.yourdomain.com.
In this way you are not forced to be the SOA for your entire DNS domain, and only querries for the subordinate zone with be sent to your DNS and proxied by the CheckPoint Gateway.
To configure the DNS server for incoming connections:
In the DNS Proxy tab of the ISP Redundancy window, select Enable DNS proxy. VPN-1 responds to DNS queries with either one or two IP addresses, depending on the status of the ISP link and the redundancy mode. To configure this behavior, map each server name to an IP address pair by clicking Add... in the DNS Proxy tab.
Type a Host name (for example,
www.vdns.yourdomain.com).
Add an IP address for ISP-1 (for example, 192.168.1.2) and an IP address for ISP-2 (for example, 172.16.2.2).
Each DNS reply has a Time To Live (TTL) field which indicates to the recipients of the reply how long the information in the reply may be cached. By default, VPN-1 replies with a TTL of 15 seconds. This can be changed in the DNS TTL field.
Hope this helps.