[RobertGraham]

Nice work - that's very helpful indeed.

Along those lines though, I would add that in light of the numerous malicious tools hiding their evil payload on port 53 as well as other problems related to DNS-reply amplification attacks, it's a good idea to consider having an internal caching server that is the only host allowed to access the Internet for DNS. This reduces queries over the firewall and can lead to a more secure policy. It's also easier to control other DNS related things as a result.