While this tangent is interesting, if you read the OP carefully, he's permitting his DMZ to pass DNS traffic into the firewall.
It's not clear that he's allowing it to pass into his LAN, although that might not be so crazy (DMZ->LAN, to allow it to resolve internal hostnames perhaps). -- http://www.lightconsulting.com/~travis/ "You are free... to do as we tell you!" -><- GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
