DNS Upstream Best Practice


I’d like to know what some of you guys do with regards to configuring AD + Firewall DNS + DNS Filtering services and how they are structured in your local network.

Say for example, if you have a network with:

DNS Filtering Services:
NGFW Firewall:
Active Directory:

Do you normally set your DHCP server to set DNS as the Firewall’s address, in which case you would have the DNS settings below:

NGFW Firewall: DNS enabled, with upstream configured to (AD), and’s upstream DNS set to (Filtering services).

Or, do you have your DHCP server set DNS to the AD, in which case you would have the following DNS settings:

AD: DNS enabled, with upstream configured to (NGFW), and’s upstream DNS set to

Or a more complex one where your DHCP server set to the Firewall’s address, but the firewall is configured to forward any requests for the local AD domain to, but the rest of it through the DNS filtering services?

If you have Active Directory the best practice is to let AD handle the DNS and DHCP.


I would setup DHCP to provide the DNS of AD and then have a forwarder to your filtering services. I would also look into a DNS provider that supports DoH. Not many talk about this, but it will provide better security.

1 Like

In the windows world it’s best practice to have windows handle DHCP and DNS but, it’s not impossible to have your pfsense box handing out DHCP and set DHCP to supply the DNS of you Domain controller. Then have your upstream DNS from the domain controller to the pfsense box In this way you don’t have to configure your switches with IP helper and put the ports you want in whatever VLAN you want. Of course there might be some performance loss because of the extra hops for DNS. Choice is up to you though.

1 Like