I have a setup consisting of a physical server (server) running Ubuntu, on that, a Windows 2016 Server running as a VM serves as a Domain Controller (dc).
I then have another physical machine acting as my router running pfsense (router). The router is acting as the DHCP server, although I have heard that it's prefered to let dc handle it. Mostly because it's handy to log into the webadmin of pfSense to fix things instead of using Remote Desktop to login to dc and also since dc is a VM and depending on a reboot of its host server might not be up when I need it to. For instance server would have issues asking for a DHCP lease from dc if it hadn't started the VM of dc first.
It's also configured as a DNS Resolver. It allows it (and me) to easily add specific hostnames for an ip, reroute stuff etc. Since I have three children in the house it also allows me to apply basic DNS filtering based "protection" against certain "known things" by running BlockerNG and Snort (although I still need more time to configure this).
I had set the DHCP Server on router to give the ip of dc as the first DNS server and then dc uses router as a forwarding DNS for things outside my own network. This all seems to work fine. The Active Directory on the domain works fine, internal hostnames work fine and external hosts are resolved correctly.
But, now I was thinking about addin NxFilter to the mix. My idea is to be able to do more fine grained DNS filtering with that for the kids based on their Domain Users. But, I'm starting to feel that it might be a bit "to many" DNS's involved in my setup and that I might not be doing it in the "correct" way.
To try I just installed NxFilter as a docker container on server with it's own LAN ip. I then simply just added the IP of the NxFilter installation to be the first DNS Server in the list of DNS Servers handed out by the DHCP Server on router and added the IP of router and it's DNS Resolver as the upstream DNS server of NxFilter. Since router's list of DNS servers includes dc NxFilter first tries to resolve and applies its rules, then if needed it forwards to router which in turn looks up domain stuff using dc.
Now, this seems to actually work out fine. But I'm not sure it is the "correct" way. Part of me is thinking that a "better" approach would be to Have dc as the DNS used and add NxFilter and perhaps even dc as forwarding DNS servers in dc. But I'm not sure I would be able to apply both BlockerNG rules and NxFilter rules if I go that route, especially for hosts that might be inside my own network.
Now, I'm quite new to having any kind of "advanced" DNS setup so I hope this isn't to complicated and explodes someones head.
Configure the DHCP server to assign the DC as the DNS server for DHCP clients. Configure the DC to use NxFilter as a forwarder. Configure NxFilter accordingly to resolve DNS queries for external names.
You don't really need to use the router as a forwarder. You certainly can, but it isn't necessary and would just be adding an unneeded resolver to the query "chain".