Maybe that is for something with the old agent/HIPS.. you are still running machines with MA 4.0? We have a bunch of machines in isolated DMZ's that use a CAG in its firewall policy, and I know they can't query via DNS to the ePO server, but all of our agents are 4.8+ and hips 8.
No, we are way above all levels mentioned for MA and HIPS. However the article states MA 4.0 P1 and HIPS 7.0, or HIGHER. At minimum, this KB should be updated, if ePO being reachable via DNS lookup is not still a CAG criteria requirement.