BIND on Opnsense as Secondary to MS DNS

[yoGhurt]

Hi,

Could someone help me with configuring BIND in my environment, as I'm stuck?
I'm trying to figure out how to configure BIND with my AD enabled DNS server on WS 2019. I've seen a few topics on this forum and around the Internet, but I'm definitely missing some pieces.

According to what I have I shoud on AD DNS:
- Enable BIND secondaries on AD DNS
- Add Opnsense to Name Servers for all Forward Lookup Zones
- Enable Zone Transfer for machines on list above

On Opnsense:
- Add both DNSes to System -> General -> Networking
- Confirm that "Allow DNS server list to be overridden by DHCP/PPP on WAN" is unchecked
- Disable other DNS services like Unbound
- Do basic BIND configuration
- Add my domain.local and _msdcs.domain.local to Secondary Zones

and with that I'm stuck - access to the Internet works, but from test client I still cannot ping any test service that's under this domain.
I wasn't sure if ACL was needed, but created one basic for my whole IP range, but that helped only partly. Previously I had errors where Opnsense couldn't sync with AD DNS. Now, at least it syncs something, but I'm getting "Transfer status: unexpected end of input" in BIND log.

Any advice where I should check next, would be helpful.

Inb4:
- Why? Because currently I'm using only Unbound that has query forwarders to my DC controllers. Problem is, that this isn't redundant in any way and when Opnsense isn't available (for any reason), my local network dies.
- Why not 2x MS DNS? Because I'm not sure if want to keep everything on these servers, wanted to still use Opnsense for DNS and it was interesting to test if it's even possible. Also, for non-domain devices, Opnsense is "closer" in network then my DNSes on domain controllers.