We strongly recommend not installing Heimdal V2 on Domain Controllers. The reason is that, if you use the "Traffic Filtering" feature, Heimdal will change the "Preferred DNS Server" under your IPv4 protocol to 127.0.0.1 and clients will not be able to communicate to your DC anymore.
The external DNS requests that the clients make are solved by Heimdal via our cloud service, but the internal ones are solved by your local DNS, in this case, your DC. With a changed DNS value of 127.0.0.1, no machine on the domain will know what the local DNS is, and not even the server itself will know that it should solve the requests.
Why are local resources solved by the local DNS server?
Usually, companies keep local resources (like file servers, print servers, Sharepoint servers, etc.) on local servers, which have no communication with the internet but do communicate with the intranet. Their FQDN's (Fully Qualified Domain Name) can't be resolved by using an external DNS, but rather a local one.
Is this an oversight in product development?
No, it is not.
In real environments, DC's are not used for web browsing and most companies/system admins do not want updates on their DCs, since local proprietary applications use specific Java, IE versions, etc. The server usually benefits from other security measures for safe browsing, like a security-enabled module browser which will prompt for admin permission each time a tab is loaded. As a general rule, regular users do not have access to browsing the web via a DC.