Advanced threat protection and DNS security issue

Hello,
I noticed some alerts in Advanced Threat Protection. I think that it should be related to some DNS security issues. This is my scenario:

I have a local DC in which runs a DNS server, which uses UTM as DNS forwarder.
I configured DNS service in my UTM to only accept queries from internal interfaces. I configured also two dns request route:
1.168.192.in-addr.arpa directed to internal DNS domain controller
mydomain.local directed to to internal DNS domain controller

These are the entries in ATP log file:

2017:01:27-12:31:21 FIREWALL named[4651]: rpz: client INTERNAL_DNS_SERVER_IP_ADDRESS#53779 (ns1.broadbandplusmedia.net): view default: rpz QNAME NXDOMAIN rewrite ns1.broadbandplusmedia.net via ns1.broadbandplusmedia.net.rpz
2017:01:27-12:31:21 FIREWALL named[4651]: rpz: client INTERNAL_DNS_SERVER_IP_ADDRESS#53310 (ns2.broadbandplusmedia.net): view default: rpz QNAME NXDOMAIN rewrite ns2.broadbandplusmedia.net via ns2.broadbandplusmedia.net.rpz

These are some entries in DC DNS server log file:

27/01/2017 12:31:21 0C88 PACKET  000000000CA9C240 UDP Rcv 50.7.0.95       735c R Q [1080       NOERROR] PTR    (2)50(2)82(2)16(3)198(7)in-addr(4)arpa(0)
27/01/2017 12:31:21 0C88 PACKET  000000000B667900 UDP Snd UTM_IP_ADDRESS 01c7   Q [1001   D   NOERROR] A      (3)ns1(18)broadbandplusmedia(3)net(0)
27/01/2017 12:31:21 0C88 PACKET  0000000007FD8020 UDP Rcv UTM_IP_ADDRESS 01c7 R Q [9381   DR NXDOMAIN] A      (3)ns1(18)broadbandplusmedia(3)net(0)
27/01/2017 12:31:21 0C88 PACKET  000000000B667900 UDP Snd 192.5.6.30      a12f   Q [1000       NOERROR] A      (3)ns1(18)broadbandplusmedia(3)net(0)
27/01/2017 12:31:21 0C88 PACKET  000000000BEBE940 UDP Rcv 50.7.0.95       11a7 R Q [0080       NOERROR] PTR    (2)42(2)82(2)16(3)198(7)in-addr(4)arpa(0)
27/01/2017 12:31:21 0C88 PACKET  0000000004A5A130 UDP Snd UTM_IP_ADDRESS b7c4   Q [1001   D   NOERROR] A      (3)ns2(18)broadbandplusmedia(3)net(0)
27/01/2017 12:31:21 0C88 PACKET  000000000E5C8DB0 UDP Rcv UTM_IP_ADDRESS b7c4 R Q [9381   DR NXDOMAIN] A      (3)ns2(18)broadbandplusmedia(3)net(0)
27/01/2017 12:31:21 0C88 PACKET  0000000004A5A130 UDP Snd 192.5.6.30      d847   Q [0000       NOERROR] A      (3)ns2(18)broadbandplusmedia(3)net(0)
27/01/2017 12:31:21 0C88 PACKET  000000000E1121D0 UDP Rcv 192.5.6.30      a12f R Q [1080       NOERROR] A      (3)ns1(18)broadbandplusmedia(3)net(0)
27/01/2017 12:31:21 0C88 PACKET  000000000422BFD0 UDP Rcv 192.5.6.30      d847 R Q [0080       NOERROR] A      (3)ns2(18)broadbandplusmedia(3)net(0)

As you may see it seems that external addresses contact dicrectly my local DNS server, I cannot understand how is it possible since UTM is not exposed to external DNS queries.

Any suggestion?

Thanks