Hi,
TLA are your friends :)
When it comes to DNS having a hidden master and then public slave to serve your zone is common, or you can have your zone in a DB an push the update on change. You may want to have a look at which DNS you want to use : Bind, NSD, PowerDNS, MaraDNS, djbdns .. one may be better than the other for your setup. There is as well plenty of tools to keep you DNS data in SQL. I really liked NameSurfer[1] when I used it (back around 2000) but it was _horribly_ expensive back then. I have used happily Sauron[2] , the interface is not really pretty but it works well.
If the reason for having two DC is not resilience then LVS, or HAProxy[3] (never looked at PFsense) are good, I would be tempted to use HAProxy with apache mod_rpaf. It detects dead backend and I think it is simpler to configure, for failover you can as well have a look at spread/wackamole [4]
I would love to see browser use SRV records for web but lost hope so unless you can unicast your network (very unlikely) the second DC is more a pain than anything for web.
For webmail, as long as it uses imap as a backend it should not be an issue. Roundcube[4] for example use a DB for storing attachment and can be load balanced easily.
I will stop here as if we start looking at DB replication or Mail clusters, the mail risk to be very long :D
Thomas
[1] http://www.nixusoftware.com/products_nss.html [2] http://sauron.jyu.fi/ [3] http://haproxy.1wt.eu/ [4] http://www.backhand.org/wackamole/ http://www.google.com/search?q=spread+wackamole