I want to allow internal hosts (subnets) to resolve names for internal devices but limit which subnets can resolve names on the Internet. Should I apply an access list to the "." zone to accomplish this? Thanks, kelly