Okay, I might overcomplicated your issue.
I didn’t pay a close attention to resolver setup on ZS. My understanding is that you only need ZS to resolve right your tfs.domain entry, more precisely transparent proxy app on ZS.
You can try to setup DNS as cache and forwarder only on ZS. Enable DNS, don’t bother with SOA, just under forwarders add your internal DNS server.
Make sure your internal DNS server has the right forwarders ( e.g ISP, Google).
On DHCP pass the internal.