DNS override only when IPsec tunnel is up

dannya

Home <-> Office
I've got an IPsec tunnel working with two P2s giving me two remote subnets, one with the servers I need to access (mainly ssh and https), and the other with a DNS server for internal addresses.
So my.domain.com has a public/external address but also an internal one which this DNS server returns.

When the IPsec tunnel is up I want to use that internal DNS server for anything on
domain.com, when the IPsec tunnel is down I want to use others/public ones (and also not any cached lookups from when the tunnel was up because I won't be able to reach those addresses anymore).

I'm currently using DNS Forwarder (but will switch if DNS Resolver is needed to solve this).
I set up a "Domain Override" to use the internal DNS server for domain.com - that works great and resolves my.domain.com to its internal address when the tunnel is up. But when the tunnel is down DNS will hang because the server can't be reached, and also - when I dig pfSense DNS - those names seem to cached to the internal addresses which can't be reached.

How can I use the internal DNS server only when the tunnel to it is up?

I could not find anything useful in the UI.
From my initial research it seems I need to create an ipsec-updown script which creates/removes the domain override as per tunnel state (caching issue aside for a moment - that might be a custom option for dnsmasq?).
But to run that script I would need to slot that into swanctl.conf (or /cf/conf/config.xml) which will be overwritten by changes through the UI. Persisting the changes seems to require yet another script which patches the config, and watching changes to config.xml to trigger the patching - really?

Thank you for any pointers