To quote from Rodney van den Oever's
nl> mail message:
> The solution for this is to let the firewall resolve to your internal
> nameserver and let the internal nameserver use the nameserver on your
> firewall as a forwarder.
I decided to add our two internal web servers to the list of those
known to the external nameserver, even though there are no known routes
through the firewall to them.
I decided against adding forwarding to the internal nameserver.
Currently if someone mistakenly uses telnet or ftp to access an
external site they get an immediate warning that the host is unknown.
With the DNS forwarding added to the internal server, they get a time
out when the connection fails, leading them to think there is something
wrong with the target system, not the command that they selected.
(Normal telnet and ftp are used heavily inside the firewall and rtelnet
and rftp are used to access remote hosts.)
Thanks for all of your responses.