I can tell you from my experience, most organizations just allow DNS to their internal DNS servers, or a few of them, and either use internal captive portal in the controller, or clearpass/ise for external. Depends on what kind of guest experience you want for your users. For most, the guest user VLAN/Subnet is always off of a firewall in a DMZ or external zone.