New to Active Domain/Windows DNS, using pfSense resolver for external DNS and routing?

Question

I have some questions about setting up Active Domain with pfSense. I'm pretty new to this and I haven't found any posts specifically dealing with these questions, and I've been scouring for hours.

Here's a simple diagram of my setup:

client machines <--> ADDC/DNS/DHCP server for internal DNS <--> forwarded to pfSense for external DNS (resolver) and splitting traffic to VPN / non-VPN based on internal network IP <--> internet

Windows Server 2016 core, an Active Directory Domain controller, is the DNS server for the local network and issues DHCP leases.

I have Windows' DNS set up to forward DNS requests to my pfSense firewall if it cannot resolve a name (e.g. external DNS), which has DNS resolver service running.

pfSense was already set up to direct traffic from certain IPs to either the internet with or without a VPN before I set up the ADDC/DNS/DHCP box. The VPN is connected through pfSense using OpenVPN and there are different external recursive DNS servers for each (I'm using PIA and Google DNS, respectively).

After I set up the Windows ADDC/DNS/DHCP server, the only thing I've changed in pfSense is turning off DHCP server.

So far it all seems to be working good, but being new to using Windows Server for networking, I was hoping some people could help me out with analyzing this setup. Here's my specific questions:

1) Is this how I'm supposed to set this stuff up? Is there anything wrong with how it's done, or is there a better over-all way to do it?

2) The ADDC/Internal DNS only points to itself for DNS entries (e.g. 127.0.0.1). Is this proper?

I saw some articles on Technet saying it's best to have another DNS to point to - I don't have any other DNS on my network (unless you count the pfSense Resolver). I kind of assumed this was some reference to failover or shared workload (e.g. 80/20 rule) but I'm really not sure.

3) Internal network is removed from pfSense - pfSense basically deals with anything external and nothing else. But it is filling quite a few roles still. Is this a good way to have things set up, or are there benefits to using Windows to point to external DNS, as well?

Would it be beneficial to set up a DNS cache using Bind or Windows, and use pfSense only as a firewall?

Answer 1

If you only have one DC then, yes, leave it pointing to itself as the primary DNS - this is Microsoft recommended practice.

Ideally, though, for the "external DNS" you should configure forwarders as mentioned in this ServerFault.com question (which is very similar to your question): https://serverfault.com/questions/601003/how-to-have-your-dns-servers-forward-queries-for-internet-names

Edit the properties of your DNS server > Forwarders tab > enter the ip address(es) of your ISP/external DNS servers. You can use root hints if you prefer, or if the forwarders are not available. You should also confirm that the Advanced tab > Disable recursion box is unchecked.

If you want to use root hints:

If the DNS Server Root Hints tab is not populated, you can re-enter them from the file: %systemroot%\system32\dns\cache.dns. To have your DNS server recursively resolve queries, your DNS server cannot host a root (. dot) zone.