In order to have access from internet you need routable internet IPs for your internal or DMZ network. However that means your network would be exposed + the cost of IPs.
From DNS perspective you did it right, I have a similar setup but with a non routable network.
In order to access internal services I use VPN and after that everything works like at home. The trick is to push the internal dns server on VPN. This will add a leyer of security over the forwarded ports.
If you do not have many clients for your internal network you will need to setup a VPN client on your clients and and VPN server on the ZS.
If you want to have services presented to internet port forwarding is the way.