Pfsense and Windows Server - NTP, DNS

I’ve got my Primary Domain Controller (Windows Server 2016) on a virtual machine under Hyper-V and after too much fussing about I have

PDC, DNS, DHCP running on the Primary Controller in order to keep Active Directory happy.

As I have been playing about time sync is a thing so I got NTP working nicely out of the PDC and the domain attached machines are sync’ing to it nicely.

Now I’m looking at the router/switch…

PfSense… What is best practice here

  1. Should the router get the time from the internal time server or the external ntp pool?

  2. Alternately … should I be setting up the indirection and have the Windows Domain Controller ask the Firewall/Router for the time and then let pfsense to the talking to the outside world?

  3. Similar question with the DNS I chose the indirect path for DNS… PDC->Firewall->External DNS Server. My internal PDC talks to the firewall ( That way I can enforce filter lists using DNS with PfBlocker ). Letting the firewall be the firewall seems like it makes sense. Which brings me back to 2. Is the appropriate separation of concerns allowing the firewall/router to NTP?