I have implemented an Edge Transport Server; but I think there is a lot of setup guidance missing from documentation.
From what I can tell, many of the Anti-SPAM agents use RBL's to contribute to their processing, not just the connection filter.
There does not seem to be any guidance on which RBL's to implement. It seems logical to me that with this Server Role; and the dependency on these DNS databases (RBL's); compiled with each RBL's connection policies, and limits; that Microsoft would have a deployment guide on using a Microsoft housed DNS Server via DNS Server Conditional Forwarding; or something internal to the Edge Transport Role to ensure reliable access to RBL's for processing.
In Forefront for Exchange 2010; many RBL's were included in the product; and had from my testing built-in access to the RBL's absent from a dependency on internal DNS Servers.
If you need specifics, Google Public DNS does not resolve zen.spamhaus.org (the largest). dnsbl.invaluement.com is not publically accessible, dnsbl.sorbs.net and b.barracudacentral.org are not resolvable from my ISP's DNS Server, my primary DNS forwarder.
Seems logical to me that the Exchange 2013 SP1 Edge Transport Role's Anti-SPAM Agents should somehow use a Microsoft DNS Server to resolve all the DNSBL's that Microsoft uses in it's Cloud/EOP services.
Technology Administrator Erie County (Career and) Technical School.