Server :: DNS Merge / Intercept Queries From Zone File

I chose -Server-, if this is more appropriate in -Networking-, just let me know. Basically, I need to be able to merge responses stored in a zone file with responses from an "upstream" authoritative server. I'm in the sad position of needing to "intercept" requests to *part* of a domain (but not restricted to a sub-domain!) and return results for *some* hosts that use an internally routed address, and results for the rest using the public internet addresses. Unfortunately, it's not my domain, so I can't just use views (although I suspect they could end up having some part to play in this, at least potentially)... but instead I have to actually send requests recursing to the other site's external DNS for any hosts my server doesn't have records for in the zone file.

Some background on the situation:
I work at a local government, which has a private link / VPN connection to a state government entity, and needs to use internal addresses for some of the state servers, which then get routed over an "internal" network link. But the state uses the same domain name internally and externally, just presenting views to internal clients vs. external clients. -- However, we are only being allowed access to certain of their servers through the internal link, which means that for any other servers that we don't have internal/private access for, we have to visit the public addresses just like anyone else on the internet... So, I can't just send all requests to their internal DNS and get responses, because we'd get IPs for some servers (e.g. their main web site) that we wouldn't then be able to reach using the internal network link.

For Example: Say I have a client machine, "client1", on my network ("my.net"), which uses "mydns1.my.net" for name resolution ... and which needs to access 2 servers on the state network, "private.st.us" and "public.st.us" -- so named based on how "my.net" needs to access them.

The external state DNS server/view ("ext-dns.st.us") responds to requests with something like:
private.st.us -- 1.2.3.456
public.st.us -- 1.2.3.457
(Those are just crap addresses, obviously.

The internal state DNS server/view ("int-dns.st.us") responds to requests with something like:
private.st.us -- 10.0.0.8
public.st.us -- 10.0.0.10
This works on their network because their own clients have access to all such IPs.

But for us, they only allow traffic flowing between "my.net" and their internal network to reach the 10.0.0.8 address, blocking all other address destinations. So, when "client1.my.net" asks "mydns1.my.net" for the address of "public.st.us", I need "mydns1" to recurse out to "ext-dns.st.us" to get an answer (1.2.3.457) and then return that IP to "client1" -- because "my.net" is blocked from accessing the server's 10.0.0.10 address. But, when client1 asks mydns1 for "private.st.us" I need to pull the IP (10.0.0.8) from a local zone file instead of asking either of the state DNS servers -- or optionally forward the request to "int-dns.st.us" I suppose -- because the state blocks access to certain services (which we need and are the whole cause of this problem!) via the public (1.2.3.456) address.