I remember years ago, Infoblox hired our first real IT guy (my friend Nate Campi).  Not long afterward, Nate tightened up our firewall rules--et voila, I could no longer query name servers on the Internet directly.  I bristled at this, and asked Nate his rationale for cutting off our access.  We couldn't run dig and nslookup from our clients anymore!  Well, Nate felt that it was more important that we allow only internal name servers that were authorized to query name servers on the Internet (i.e., forwarders) to send DNS queries through the firewall.  As consolation, he offered me a login on one of the Linux boxen on our DMZ.

Fast forward a few years, and we see the wisdom of Nate's policy.  The DNS Changer malware infected millions of Windows computers around the Internet, changing their DNS resolver settings to point to recursive name servers that would then redirect all queriers to open proxy servers, where their traffic could be recorded and examined.  Nate's firewall rules would have countered DNS Changer:  the worst an infected computer would have experienced would have been a denial of DNS service, not the substantially more damaging divulging of data to some nefarious organization.

So take a lesson from Nate, as I should have, and tighten up your firewall rules so that only your internal name servers--and only those that resolve Internet domain names directly--can send DNS queries through your firewall to the Internet.