Edit: This is not a question about DDOS, but a question about how to resolve a technical issue impacting only Mac clients of Outlook Anywhere.
Problem and solution are are now known, but I cannot link it here for some stupid reason of stackexchange limits. I can suggest googling : "outlook anywhere We Get to Use Commandlets" and you should find the problem and solution described at charlietree.com
Original question follows...
I'm not a Mac user, nor the Windows Admin, so forgive me if I don't have the the nomenclature correct, but I'm trying to help another admin.
We run Active Directory and Exchange 2010. The name servers for our Internet top level domain are Linux with Bind. A subdomain like ad.example.com is the domain for AD, Exchange, etc.
In an attempt to prevent the DNS service on AD from being abused with DNS reflection DDOS attack method, port 53 was blocked at the firewall. It has the effect of blocking off site users with Mac Outlook from syncing with Exchange.
Blocking port 53 seemed the only way to go because disabling recursion on the Windows DNS causes failures to access the outside world, and unlike Bind, there is no feature like views.
Are other sites finding this is a problem, or does it hint of a configuration problem?
The admin mentioned that when traced, the connection information (perhaps with autodiscovery) came back with the address like exchange.ad.example.com, while the exchange server is also known as an address like exchange.example.com. He isn't sure if there is some place in the configuration to fix that. The idea being if we can get the "ad" out of the host name, the Mac Outlook client would not need to talk to the DNS on AD.
Our Goal: to block AD's DNS servers from DDOS abuse.
Our problem: Mac Outlook clients require access to AD's DNS when off site.
I'm still a little lost as to your explanation of why you are doing what you are doing with the port 53 block. Your internal DNS within your firewall should have no reason to be exposed to the internet, so you are right to block inbound port 53 to it on your firewall. Your external DNS should provide name resolution for your external (internet facing) domain name, including autodiscover.domain.com.
I think you are overly complicating things.
Exchange can be setup to handle Mac clients running Outlook 2011 easily, using the same autodiscover methods that Outlook Anywhere and smartphones use.
You'll simply setup the proper cert, make sure the internal and external URLs for Outlook Anywhere are correct, and make sure that the proper ports (80/443) are allowed through the firewall to the Exchange server, and that the authentication is setup for Outlook Anywhere.
Once you've done this, and you can confirm via test on www.testexchangeconnectivity.com that all is setup correct, then you should have no problems configuring a Mac client running Outlook at that point.
Some URLs to help you along:
http://www.msexchange.org/articles-tutorials/exchange-server-2010/management-administration/exchange-autodiscover.html
http://technet.microsoft.com/en-us/library/bb201695%28v=exchg.141%29.aspx
http://premnair.wordpress.com/2010/07/03/configure-ews-autodiscover-owa-oab-ecp-on-exchange-server-2010/
http://blogs.technet.com/b/exchdxb/archive/2012/05/10/troublshooting-autodiscover-exchange-2007-2010.aspx
http://exchangeserverpro.com/how-to-configure-exchange-server-2010-outlook-anywhere/
https://help.exchangemymail.com/entries/20037278-Configure-Outlook-2011-for-Mac-with-Exchange-2010-2007