NextDNS - VPN Split Horizon

Hi,

I am using a VPN to protect access to my private network resources such as demo websites for client presentations. I have recently started using NextDNS and I am using Rewrites in NextDNS profiles to push any HTTPS traffic for my private workloads over the VPN e.g.

*.private.demosite.com -> 10.11.12.13

When my VPN is connected this works fine and I can access my work loads. When the VPN is disconnected, then I cannot connect. I am happy with that set up.

The issue I see (and perhaps I am overthinking this) is when my users are on a customer site they often have to connect to the customer guest wifi and this is often on private IP ranges, so I can not rewrite  all private traffic over to the VPN as this means my user may not be able to connect to a login page if it is returned on an IP address range already added as rewrite.

Also, if travelling my users often have to connect to hotel wifi (where they all know to connect via VPN). However, there a use case when a user could try to connect to a my private demo sites, whilst not connected to the VPN, so therefore *.private.demosite.com will try to be resolved by nextdns. If there is another server or man in the middle on the same IP as *.private.demosite.com, my user may be retuned something they should not be clicking on. I would expect to see the HTTPS certificate authentication fail and the users provided a warning of the sites unsafe status, but this could be ignored by the user.

Is there any solution to this ? Thanks in advance for any support.