Go to 192.168.4.3
In paragraph 3, write 192.168.4.1 or / and 8.8.8.8, uncheck 3.2 (it will not allow you to register forwarders).
Now about the meaning. If this is not configured, then:
The client wants to find out the yandex.ru address, sees 192.168.4.3 in the DNS list, makes a request to 192.168.4.3 for the yandex.ru address, but 192.168.4.3 knows only about its domain, it does not know about yandex .ru and responds to the client with a refusal. In a good way, the client should immediately ask the same question to the next DNS in the list (192.168.4.1) and get a normal answer. But in windows, working with DNS has always been clumsy, inadequate. Windows seems to be telling you "if I don't get the correct answer from DNS on the first try , then you will suffer from me!"
If you add forwarders, then 192.168.4.3, when requesting yandex.ru, will say (to itself) "So, I don’t know anything about yandex.ru, so I’ll ask 192.168.4.1", and he asks 192.168.4.1, receives an answer, and then passes this response (on its own behalf) to the client. Those. the client will get what he needs on the first try.
There is one more option. Whether it will work better depends on the Cisco router. You register two DNS on the router: 192.168.4.3, 8.8.8.8. At the same time, remove 192.168.4.3 from the DNS list in DHCP. Those. clients receive DNS 192.168.4.1, 8.8.8.8. When requesting names from AD, the router must forward the request to 192.168.4.3. At the same time, it is no longer necessary (and even a little harmful) to prescribe forwarders to 192.168.4.3. In theory, it should work no worse than the first option, but you need to check it in practice, because. in each specific network and with each piece of iron there can be troubles.

The good news is that everything needs to be redone. DHCP to transfer to HELL, for HELL to do the domain xxx.local. Your problem now is that DNS is not configured correctly and it does not know about DHCP. on 2800, leave only outward routing and NAT, connect 3750 to it and configure VLAN and internal routing, connect everything else after 3750. then the DNS forwarding proposed above will not be needed. And this one, the backup server in AD, died along with NT - since then, servers are not divided into primary and backup, different roles can be transferred to them, but they all work at the same time.
It is difficult, not convenient and long to paint in detail how you do everything. the idea is that the router should route the external load, 3750 will become the core / aggregation layer, the rest of the zoo will go to the access layer. as a result, network management will be mainly at 3750. By integrating DHCP into AD and configuring DNS correctly, you can automatically distribute addresses to different VLANs and you will not have problems with resolving names, both external and internal. Besides at you the domain name "external" is now used, and addressing of a class With not routable - the collapse turns out. this is very wrong. especially if your xxx.ru is registered somewhere and your DNS understands that it should be outside, but in fact it is inside.