Each device caches DNS resolution requests. If the local PC doesn't already know the IP of an FQDN, it asks (in your case), your internal DNS. If the internal DNS has resolved that for someone else, it will answer with the information it has cached. Etc.
Over the last two years, it seems like the following has become the accepted standard for best practice in your case (replace OpenDNS servers with others nearer/faster for you):
[LIST=1]
Internal devices point at internal name server for DNS, then the Astaro, then the OpenDNS servers.
The internal DNS server's first forwarder is to the Astaro DNS Proxy, then to the OpenDNS servers.
The Astaro DNS Proxy lists "Internal (Network)" as allowed client.
The Astaro DNS Proxy lists the OpenDNS name servers as forwarders, and 'Use forwarders assigned by ISP' is not checked.
In 'Request Routing', the internal DNS is used for reverse DNS of internal IPs (for example if your internal subnet is 172.16.20.0/24, you would have '20.16.172.in-addr.arpa -> {Internal DNS}'. With that, the Astaro can list machine names instead of internal IP addresses in the reports.
[/LIST]
See what happens if you make those changes.
