The issue I am facing:
Multiple routers are connected via VPN.
Each router has a unique local subnet with a nameserver/resolver for that subnet only.
All routers use the local domain fritz.box.
How can I select the resolver in PiHole depending on the pseudo-TLD and rewrite the pseudo-TLD to fritz.box afterwards?
It's not clear what you want to achieve, mainly because its not clear where Pi-hole fits in your network.
It's also not clear why your routers would all use the same local domain, unless they were all FritzBoxes (which they probably are).
Associating a domain (like printer.ffm) to another domain (like printer.fritz.box) can be done via CNAMEs. Pi-hole's UI supports defining those via Local CNAME Records, but you'd probably have to define those CNAMES on each of your multiple local resolvers (how many?).
From your example, it's not clear whether the target printer.fritz.box refers to a unique single machine, reachable via a single IP, or whether each VPN would have its own printer.fritz.box IP, and if they had, whether resolution should be possible across different VPNs, or whether each VPN should be able to resolve to its respective 'own' printer only.
It does not return any values. Could it be the CNAME resolution is done before the split-DNS decision?
:~$ dig a @192.168.1.11 aspire.ffm
; <<>> DiG 9.16.42-Debian <<>> a @192.168.1.11 aspire.ffm
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 43233
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;aspire.ffm. IN A
;; Query time: 0 msec
;; SERVER: 192.168.1.11#53(192.168.1.11)
;; WHEN: Tue Aug 01 15:14:35 CEST 2023
;; MSG SIZE rcvd: 39
The conditional Forwarding in the webGUI is limited to one entry.
Here's the test set-up:
2x NAT router (192.168.1.1/24 and 192.168.178.1/24) with LANs connected over internet via Tailscale VPN subnet routers.
Both routers use fritz.box as local domain. This is hardwired in the routers and cannot be changed.
Subnets 192.168.1.0/24 and 192.168.178.0/24
Pi-Hole has the IPv4 address 192.168.1.11/24
The routers shall advertise Pi-Hole as a resolver for all hosts via DHCP.
PiHole is able to resolve DNS queries from 192.168.1.1/24 for fritz.box on 192.168.1.1/24 but cannot resolve DNS queries for 192.168.178.1/24?. ffm and whm CNAMEs don't work at all.
As Pi-hole's Local CNAME Records pane explains, CNAMEs and any kind of forwarding won't go together, as Pi-hole has to be authoritative for the target domain.
You may chance sporadic sucessful resolution if Pi-hole is lucky enough to be aware of a target domain as being cached, but that won't give you reliable resolution.
Thanks for detailing your setup a bit.
You still haven't disclosed whether you expect names to be uniquely resolved across both domains or just per subnet.
Do you want printer.ffm and printer.whm, both with a CNAME target of printer.fritz.box, pointing to the same IPv4, or should each name point to its own IPv4 address from its own associated subnet?
Would you want identical behaviour for all local names, or are some names to be treated differently?
printer.ffm would e.g. be a printer in subnet 192.168.1.19/24 and printer.whm would be another printer in e.g. subnet 192.168.178.21/24. Situations in which devices in different subnets coincidentally or by device type have the same hostname can occur. That's why I try to use some pseudo-TLDs to differentiate the subnets.
All local names should be treated the same. Only global domains should be forwarded without any manipulation.
Then you won't be able to use Conditional Forwarding, as the only local domain that your routers and clients are aware of is fritz.box - and that's ambiguous.
With just one Pi-hole, you would instead need to define each of your names as a Local DNS Record, e.g.
Domain
IP
printer.ffm
192.168.1.19
printer.whm
192.168.178.21
But note that a client would still only expand its request for a hostname like printer by the local fritz.box, and for printer.fritz.box, there's no way for Pi-hole to differentiate where to forward it.
This would mean that whenever there are identical names for host in several subnets, Pi-hole would only ever be able to provide correct replies for *.fritz.box requests from the one subnet that it is connected to itself.
To overcome this, you would need a separate Pi-hole (or other configurable DNS server) on each of your subnets.
Instead of using Pi-hole, another solution may be to employ a full-blown DNS resolver that would be capable of supplying different DNS replies based on the requestor's source IP address. Note that your VPN coupling may pose additional challenges here, as your DNS server may or may not see the actual IP address of the device that send the request.
Different DNS replies based on the the requestor's source IP address don't work here as this would not allow to resolve hostnames in the remote subnet.
That's why I'm trying to use pseudo domains like .ffm and .whm for the subnets.
Basically I'm looking or a resolver which first does the split DNS decision based on the pseudo domain and afterwards rewrites the domain to fritz.box before forwarding the request to the responsible subnet resolver.
Local DNS Records as suggested above will allow your single Pi-hole to resolve the hostnames as required.
Retrieving a CNAME and deciding on a forward target are two separate steps.
On inspecting a DNS request, Pi-hole can decide to forward that request to another resolver.
It would then be that other resolver's job to decide on further treatment.
You'd still have to define respective hostnames in that resolver, either using CNAMEs or flat hostnames for each hostname involved, so the configuration effort is about the same as for a single Pi-hole. Using several ones would offer the benefit of allowing resolution of the respective local domain names (e.g. *.whm or *.ffm) even when your VPN link is down.