I have firewalled dns as a security measure. One hack is to point someone at a foreign dns server bad guys control. So I guess I am off to another provider if they do this. Disappointing.
I used to work at a TV station. My two cents and the short version.
The business end of the company has different needs and goals than the engineering area. An example a marketing person should not be able to access the transmitter site. Put a firewall between Engineering and the rest of the company. That is your point of demarc. There is going to be data sharing between the areas, but that is the purpose of the firewall. Setup procedures and standards for company computing. Train or work with a designated engineer on company IT procedures. Let the IT engneer setup engineering procedures The engineers only need access to a subset of the company IT. Engineers PCs should log on to the domain or their trusted domain.. Everybody is happy.