Hi southrider,
Just to be clear, anyone from the public internet can hit your intranet if they have the domain name or IP address? If this is the case, then no I don’t believe Duo alone can fix it for you. You may want to look at a reverse proxy (I believe Windows Server starting with 2012 has this feature available as an installable role). What you’d want to do is close off web access to your intranet on your firewall, and instead have the domain name point to this reverse proxy. The proxy will authenticate users (you can probably integrate Duo here at this point) and if authentication succeeds then your users will reach the intranet.
Depending on your setup it may just be easier to block access to the intranet from the public internet and require your users to use a VPN to access it from the outside.