Pretty much every Sidewinder/McAfee Firewall I've installed over the past 10+ years has been configured to run in split-DNS mode and what you are describing has never been an issue.
However, if I were to conciously go about blocking it I would create a rule along the following lines:-
Source Zone: External
Source Endpoint: Any
Destination Zone: External
Destination Endpoint: Firewall External IP address
1 of 1 people found this helpful
This worked, thanks. The Application had to be PF and not a proxy. I was still able to query the external browser with NS Lookup but not with Dig....