2 pfSense installation at different sites -- can one serve serve as "truth" for DNS setup?

I just got done watching Techno Tim’s setup for 2025: https://www.youtube.com/watch?v=l9yY_VWCWlM&pp=ygUJdGVjaG5vdGlt.

Here he discusses everything running on his homelab, and jeez, what a very complex setup. Not working in the computer industry as my day job, I found the setup very complex!!!

One thing his setup however shares with my own, was that he mentions he has two sites (home and external), which are connected by site-to-site VPN. I’m using site-to-site Wireguard configured between 2 pfSense installations, he’s using TailScale.

Within his setup - he’s running 5 DNS servers – all piehole. Some are used for duplication and HA, however he has one machine act as a source of “truth” from which the 4 other machines sync their records with this source of truth. He mentions specifically DNS records when needed to be altered or changed must be done on the “truth” machine and nowhere else to keep the setup consistent.

I’m aware pfSense runs unbound as their DNS software, however I was wondering if pfSense could be configured in a similar manner or setup to pull it’s DNS overrides from a common source. Clearly I would think this would be a common scenario with split sites. TechnoTim is using piehole, however I’ve heard other’s use BIND as the source of “truth”. How would pfsense then be configured to pull and synchronize from this source – or is this even possible?

I’ve asked this question on the pfSense forums, and I had a few people ask some questions regarding the setup – mention BIND – however in terms of details I received very little from the forums, which I was kind of surprised about.

If the goal is to keep things simple then have one pfsense be the source of truth DNS and have all the devices point that pfsense for their DNS. Setting up bind would work but would be more complex. For myself I go even easier, I update the DNS in my studio / home and the one at the office at the same time with the same data. I don’t change DNS often enough for this to be an issue.

My impression is that unbound (at least the pfSense implementation) doesn’t easily handle zone transfers, which is how you keep multiple dns servers in sync.

Here’s the alternative: set up a dns server outside pfSense and have both sites forward queries there. Techno Tim does this with pihole, like you mentioned, but you could do it with bind9, or PowerDNS, or whatever. I’ve been using Technitium for the past year or so and have been quite happy with it.

This doesn’t have to be public either. You could connect via a WireGuard tunnel between pfSense and the dns server.

Thanks @tvct. I’ll look at the athe options for formal dns servers. I’ve never heard of Technitium however now its on my list. I know it sounds like a bit of a nuanced take, however it would be great if DNS requests could be resolved locally without hitting a WG tunnel for every DNS request that isn’t cached. Perhaps setting a master DNS would be the first step however just to explore and get the ball rolling.

@LTS_Tom – for small setups I can understand updating both pfSense DNS records at once, however I’m honestly very surprised pfSense doesn’t expose an API whereby you could automate this using Ansible or some other method. I guess I’m kind of scratching my head here a little asking if I’m the only one asking for such a zone transfer function with pfSense. Now the CE is almost never updated I’m not holding by breath that either an exposed API or a zone transfer method would ever be implemented. Oh well. Continual learning.

No one should be managing DNS at scale with something like pfsense. It’s not the right tool for the job.