Does the external web server (in DMZ) talk to DB directly without going through internal app server?
Yes, It the external domain (DMZ) communicates directly with the DB without the intervention of internal apps node.
The main objective of setting up a DMZ is to deploy security on the internal data. When setting up DMZ you have the option of including multiple firewalls so that data access is restricted. This is well explained in the below note.
Oracle E-Business Suite R12 Configuration in a DMZ (Doc ID 380490.1)
In case if the answers to above questions are yes then what are the alternatives available to avoid DB being exposed through external server directly?
How To Configure Firewall When Remoting Container Sits Inside DeMilitarized Zone (DMZ) (Doc ID 1149388.1)
Hints and Tips for Troubleshooting the URL Firewall (410-Gone on DMZ External Tiers) (Doc ID 460564.1)