Disable NextDNS when connected to VPN or LAN

Hi everyone,

I'm currently deploying NextDNS across a fleet of Windows machines using Microsoft Intune, and I'm trying to achieve a conditional setup based on network context.

Goal:

• When users are in the office (connected via corporate LAN or Wi-Fi), I want them to use the internal company DNS, not NextDNS.
• When users are connected to the company VPN, I also want them to use the internal company DNS, not NextDNS.
• In all other scenarios (e.g., outside the office and not connected to VPN), NextDNS should be active and enforced.

Current deployment:
I'm deploying NextDNS via MSI using the following command:

msiexec /qn /i "NextDNSSetup.msi" PROFILE=<profileId> UI=0 EXCLUDE_SSIDS="Corporate Network"

Problem:

• The EXCLUDE_SSIDS option works for Wi-Fi, but:
  • It doesn't cover wired (LAN) connections
  • It doesn't help when users are connected via VPN
• As a result, NextDNS is still active in situations where I need it to be bypassed.

Questions:

1. Is there a way to exclude NextDNS based on:
   • Network type (LAN vs Wi-Fi)?
   • Presence of a VPN connection?
   • Specific internal IP ranges or DNS servers?
2. Would this require:
   • A custom script (e.g., PowerShell) to dynamically enable/disable NextDNS?
   • Integration with Windows network location awareness?
   • Or is there a built-in feature I'm missing?
3. What is the recommended approach for enterprise environments with hybrid connectivity (office + VPN + remote)?

Any guidance or best practices would be greatly appreciated.

Thanks in advance!