"it first asks the local DNS on the DC, then moves to the router
which then forwards it to the public DNS provided in the General Setup tab."NO NO NO NO!!!
Client dns never ever does this!
A member of an active directory domain should point to is the AD DNS - period!
to setup your AD to FORWARD unknown requests to a Name Server that can look it up, or just let your AD DNS look it up directly from the roots.
Here is what happens.. Your member of AD client has 1 OPTION for dns, that is your AD dns -- it never goes and asks the router, it never goes and asks googledns, it never goes and asks opendns.. It ONLY ASKS your AD DNS!! PERIOD!! The only time a member machine in your active directory should have more than 1 dns server listed is if you have more than 1 AD DNS (even then you don't normally do it). You don't point it to your router, you don't point it to googledns, you don't point it to 22.214.171.124 or your isp dns, you ONLY Point it to your AD DNS!
If you client wants to know the ip for www.google.com
-- its ASKS your AD DNS! PERIOD!!
Your AD DNS goes and looks up www.google.com
for the client. This is the way active directory works.
Now either AD DNS looks it up directly for the client via the root hints, or in the forwarders tab you listed but have blank you put some dns you want the AD DNS to ask when it does not have a zone for the domain your looking up
, like googledns, etc. You can put in your pfsense IP in that is want you want. But pfsense is just is going to forward it again. So that is kind of pointless if you ask me.. Unless you don't want AD dns to make connections outside your network, etc. You can put in googledns, you can put in 126.96.36.199 you can put in opendns, etc.
Now you client wants to know ip for www.somedomain.tld
-- the dns of your client says hey I don't have that cached, I need to go ask my dns.. So it asks your AD DNS. AD DNS, say oh your looking for www.somedomain.tld
, let me check - nope I do not have that cached either, nor do I have any zones telling me I own that somedomain.tld.
So let me go ask my "forwarder" for that -- maybe he knows. Then either the forwarder returns what he has in his cache, or he goes and asks his forwarder, etc. At some point if not cached a name server that has no forwarder listed will have to go ask the root servers for who owns, .tld -- it will then go ask one of the owning servers of .tld for the name servers of somedomain. It will then go ask that name server for the A record WWW.
If you do not have forwarder(s) setup in your AD dns -- and your AD DNS does not have zone for somedomain.tld if you have it allowed to use root hint, it will ask roots, then ask authoritative for your .tld of domain your looking up, and then go ask somedomain.tld ns it got from the tld ns, etc.
Does this make it clearer?