If you're ever concerned about unauthorized traffic getting past your firewall using the domain name resolution destination ports (UDP 53, TCP 53), you have some choices. You could:
- Only pass traffic to your selected nameservers.
- Redirect the traffic to your selected nameservers.
- Redirect the traffic to your own nameserver, and resolve names to addresses of your own desire.