Just wanted to give everyone an update that I contacted support and asked them to make it so DNS calls were resolved internally. After a couple of back and forths, they got an engineer to make some changes (no insight into exactly what those were), but even then I had to go back and ask them to validate because my system was still trying to go out to Cloudflare.
After the second time, it is indeed only using internal calls. So clearly this is a known procedure.