Questions about using resolver vs. bind with active directory DNS, etc.

  • Hi,

    I have some questions about setting up Active Domain with pfSense.  I'm pretty new to this and I haven't found any posts specifically dealing with this question, and I've been scouring for hours.

    Here's a simple diagram of my setup:

    +–-----------+      +--------------+      +-------------+        ISP
    |  Client        |        |  Windows    |      | pfSense      |        /
    |  Machines  |        | Server 2016 |      | Firewall      |      /
    |                  >----->  AD DC      >----->DNS resolver ><
    | on internal  |        |  Internal      |      |for external  |     
    |  network    |        |  DNS          |      |DNS            |       
    |                  |      |  DHCP server|      |                  |          VPN service
    +-------------+      +--------------+      +--------------+

    Windows Server 2016 core, an Active Directory Domain controller, is the DNS server for the local network and issues DHCP leases.

    I have Windows' DNS set up to forward DNS requests to my pfSense firewall if it cannot resolve a name (e.g. external DNS), which has DNS resolver service running.

    pfSense was already set up to direct traffic from certain IPs to either the internet with or without a VPN before I set up the ADDC/DNS/DHCP box.  The VPN is connected through pfSense using OpenVPN and there are different external recursive DNS servers for each (I'm using PIA and Google DNS, respectively).

    After I set up the Windows ADDC/DNS/DHCP server, the only thing I've changed in pfSense is turning off DHCP server.

    So far it all seems to be working good, but being new to using Windows Server for networking, I was hoping some people could help me out with analyzing this setup.  Here's my specific questions:

    1)  Is this how I'm supposed to set this stuff up?  Is there anything wrong with how it's done, or is there a better over-all way to do it?

    1. The ADDC/Internal DNS only points to itself for DNS entries (e.g.  Is this proper?

    I saw some articles on Technet saying it's best to have another DNS to point to - I don't have any other DNS on my network (unless you count the pfSense Resolver).  I kind of assumed this was some reference to failover or shared workload (e.g. 80/20 rule) but I'm really not sure.

    1. Internal network is removed from pfSense - pfSense basically deals with anything external and nothing else.  Is this a good way to have things set up, or are there benefits to using Windows to point to external DNS, as well?

    Would it be beneficial to set up a DNS cache using Bind or Windows, and use pfSense only as a firewall?

    Thanks, I appreciate any questions or comments.