You do not. A dns server is required to resolve fqdns of radius servers, for example.
If you have a domain name acl, the controller looks to see if a user receives a dns resolution for that domain name and puts the ip address in the table at "show firewall dns-names". It then would allow or block any traffic to or from those ip addresses based on your ACL.