Multiple DNS resolvers for root forward zone "."

I have a requirement for two sets of LTM services with different DNS requirements.

The primary red secure service uses an internal DNS service but traffic can also be routed to the Internet. The second blue service uses a partner Internet Gateway. This has all worked with both services using the blue DNS resolver until recently one of the cloud apps needs to use 'microsoft.com' services.

Because the Blue gateway uses public DNS to validate FQDNs and Microsoft frequently roll (like every 5mins) the public IP addresses in DNS responses we think the blue gateway is caching different IP addresses to the pink DNS server and so when the blue gateway validates the destination IP it can sometimes drop traffic