Yes there's a rule to the DNS server, allowing all sources using the DNS service. Then there's another rule to allow all sources again HTTPS and HTTP service to the specific servers hosting the sites. Windows devices are happy with this and get to everything.
NAT is enabled on all the policies. We only have VIPs set up to point the external DNS to the correct internal IP addresses.
Ok, so the NAT question was me being confused with a different question (duh), though you probably don't want NAT on most policies.
In any case, I recently simplified my network *dramatically* by letting my Fortigate serve up DNS on all the default gateways, and it would internally forward the requests to the real servers. I was able to remove essentially all of my firewall policies allowing DNS from one to another, a HUGE simplification.
This is worth considering.