I have a home network that uses an internal subdomain of a domain that I own, int.example.com. The DNS servers on this network are a pair of Raspberry Pis running Pihole, which refer lookups for *.int.example.com to my router (which is still the DHCP server - the Piholes can't serve DHCP due to the physical topology of the network). Local DNS lookups work for all hosts as expected.
I work for a company that runs a corporate split-tunnel VPN (Cisco AnyConnect). I can't control the configuration of this VPN, other than the client setting to allow access to the local network (which I have set on, but which doesn't seem to have any effect if I disable it). The VPN client sets up an adapter with metric = 1. On my work laptop running Windows 11, this causes all DNS lookups to go through the VPN tunnel. So, a DNS lookup (via nslookup or through a browser) for a host on the internal network e.g. host.int.example.com will give no response, and nslookup will list the server as the corporate DNS server e.g. dns.example_company.com.
I modified the metric of the VPN adapter while it was connected so that it was higher than the metric of the laptop's LAN adapter (which defaults to 25). This flipped the situation so that the local network's DNS servers were used for all DNS lookups. However, it also made lookups fail for internal services on the corporate network e.g. internal_service.example_company.com will not be reachable. So this is a no-go for me.
Strangely, I can see (via Wireshark watching both interfaces simultaneously) that the DNS lookup for the local address goes out on both interfaces, and is answered with a valid IP address by the Piholes/local router, but this seems to be ignored as nslookup/the browser says the address could not be found. I can only assume (limited knowledge etc etc) that this is because the interface with the lower metric returned a null response, so that null response is preferred.
Is there a way to make Windows use DNS servers specific to a network suffix, from the Windows client side? So e.g. requests for *.int.example.com go to the Piholes on the local network (and thus to the router which can give a valid response), while requests for *.example_company.com will go to the DNS server supplied by the VPN tunnel. I understand that Cisco AnyConnect may have an administrator-controlled setting to do with split DNS but I can't control that, and the issue appears to be caused by the local computer's adapter metrics so I'm not confident that'd fix it anyway.
Note: I have dynamic DNS set up for the domain that I own, e.g. home.example.com, and I have tried to set up an NS record for int.example.com that points to home.example.com in the hope that this would make the VPN-connected laptop send DNS requests for *.int.example.com to home.example.com. A dig lookup sent explicitly to home.example.com from the VPN-connected laptop does work, I think the router routes it back to itself, but it doesn't work to send it through the default server i.e. dns.example_company.com doesn't give anything to the client which prompts a subsequent lookup to home.example.com. This was probably never going to work, but I had hope.