'It' in my case was simply LAN DNS:
Profile = Test
Domain name = myrouter.local (or whatever name you want looked up & converted to IP)
CNAME = Draytek 2860n (if you want this, otherwise could be anything)
IP address =192.168.1.1 (or whatever you have your router set to) & tick the box for 'Only use this record for responding ...'

Host files are a pain, even more so if you have Android devices etc, that's why I find the Pi-Hole DNS server approach really neat should you also want network wide ad-blocking (though admittedly I do have my split DNS FQDN in the Pi host file, but that's a more manageable one host file to maintain versus one on every device).

That seems to work, thanks! I entered my FQDN into both domain name and CNAME, since I think the latter is what the browser checks the certificate against. It also created a 'conditional DNS forwarding' entry, enabled (?) but with a blank DNS Server IP Address. I didn't touch it.

This only seems to work for IPv4 - presumably I would have to add another entry, for the same rule, for IPv6?

Edit: I tried that, and the entry is accepted, and I see the entry in the DNS cache, but - it doesn't work.

The LAN DNS function of the vigor will be the way to go... The instructions above are along the right lines but not exact, plus I came across a gotcha on my 2862....

Basically what we need to do is to override the external DNS resolved IP address of your router, and instead make internal clients see the internal interfaces IP address. To do this we need to use the LAN DNS function to supply the replacement IP address AND we need to ensure that internal clients do use the internal DNS application of the router (That's the gotcha - more about that later).

Assuming that the external DNS has an A record for myrouter.mydomain.co.uk as its external name and resolving as 11.22.33.44, then we need to provide the replacement record as just a domain name and the 192.168.1.1 (or whatever) internal IP address in the LAN DNS dialog - you do not need to enter anything in the CNAME field, and of course enable the record - I never did figure out what 'Profile' did (I just use it to group related entries).

When adding the IP address there is the "Only use this record.." setting. Leave that unchecked in most cases. Basically we want ANY DNS request hitting the Vigors DNS service to resolve to the internal address - unchecking that box will do that. (An example where that box would be ticked might be if you had a DMZ as a second VLAN and wanted to resolve that interfaces IP - say 192.168.2.1 for servers in the DMZ, but 192.168.1.1 for devices on the normal LAN - in that case you'd add TWO IP address entries to the table to the bottom of the LAN DNS screen and TICK the "only use this record" setting for both).

OK so we now have your external DNS record that Internet clients will use, we have a the LAN DNS record that we want to be supplied to internal clients instead of the external record. We just need to ensure that internal clients are looking exclusively to the Vigor for DNS resolution.

To achieve this we need to ensure that LAN clients have ONLY the vigor's internal IP as their DNS client settings (and no trace of your ISPs servers). You need populate the "DNS Server IP address section of the DHCP settings for your LAN configuration (*). There would normally only be one, the 192.168.1.1 address. That simple? NO! - that was the gotcha I found. I checked the IP configuration of a client and found that yes, the primary DNS of the client was picked up as 192.168.1.1, BUT the secondary IP of the client was one pf my IPS's servers (the vigor must have carried that though from the WAN config!). I ended up putting 192.161.1.1 as both primary and secondary DNS in the DHCP settings. Unauthodox, but it worked. Leaving the ISPs server in there would have meant that some client DNS requests might have bypassed the vigor DNS service, and provided the external interface IP instead of the Internal IP.
( * - or of course if statically configuring the IP address on your client - just enter one DNS server - the 192,168.1.1 address)

x64

Interesting - thanks. On my 2860, I found I did not need to change the DNS server settings from the ISP's servers for the LAN DNS entry to take effect. It is my understanding that the router acts as a transparent caching proxy for the configured DNS servers, so that DNS requests passing through are matched against the local DNS entries. However, this dates back years ago to my very first Draytek router, and I have not seen it spelled out clearly in the manual for a while. (On the other hand, I haven't seen anything spelled out clearly in the manual for a while either!)

Leaving the ISP's DNS servers in place, ping(8), traceroute(8), nslookup(1), and dig(1) all correctly use or return the IPv4 LAN address of the router. The last two also return the IP address of the DNS server, namely the IPv6 address of my ISP's primary DNS server. If I disable the LAN DNS entry and repeat the query dig(1) & nslookup(1) both return the WAN IPv4 address of the router. It looks like a transparent proxy to me.

The 2862 may be different, of course

I’ll double check that assertion over the weekend.

It never occurred to me that the Draytek might be interfering with requests targeted at an external DNS seever. That still seems odd to me.

Can you confirm that your endpoint is not using the Draytek as its DNS client entry? Or that the behaviour you describe is as so for requests specifically targeted at external resolvers?

Time to do some DIGging. (ugh!!)

Well, my auto-generated /etc/resolv.conf shows only the ISP resolvers (IPv6 first)