DMZ question

Hey all,

Doing a little DMZ design work. Web server will be placed in DMZ. External users, DMVPN users, and LAN users will all need to be able to hit it. I was going to do this in a way where DMVPN users came into the firewall on the inside interface like LAN users and external folks obviously came through the outside interface. However, boss man wants to stop this split DNS thing we got going on and wants internal DNS to match public DNS. Due to split tunnel policy, DMVPN users can definitely come in hitting the public IP just like external users, but I feel weird about my LAN users trying to access the web server via the public IP. In fact, there are null routes on our core to prevent you from routing to our public blocks. I did not put that there but I know it would need to be taken out to make this work. Is there a reason why I shouldn't do it how the boss is looking to do it? We have two data centers (connected through fiber) and use AS path prepend via BGP to dictate the flow of traffic from the outside if it matters. Never really barked down this alley before so hoping someone wiser than myself can give me some advice. Thanks!