It sounds like you don't need vlan 25 on the PSA at all. The PSA DNS request will originate from the internal port ip address and this VLAN needs a gateway address that can then reach the rest of the required resources like VLAN 25 DNS server.
Where is the layer 3 gateway address for the internal port VLAN
Is the gateway setup in the PSA
Is there a firewall where rules are needed to allow the communication to the DNS server