the obvious skipped me, thanks. You're probably right.
One hint though:
I would not allow the DC to contact an external DNS. Rather, configure the DC to ask the FGT for external names. Only the FGT knows at least one reliable DNS, namely the provider's DNS. DNS is security relevant, no host on a protected LAN should be able to contact arbitrary DNS in the world.
There are numerous posts on the forums how to configure the FGT to offer DNS on it's LAN interface. The DC would be the DNS for the clients, type 'recursive', and escalate requests for foreign hosts to the FGT.
If that is not clear to you, please post again and we'll post it here.
"Kernel panic: Aiee, killing interrupt handler!"