How to set up Unbound DNS wildcard override with exception?

[alto]

I have a situation where I want to do this:

Resolve *.example.com to 192.168.10.10
Resolve vpn.example.com to 1.1.1.1

I.e. I use example.com for all services in my LAN *except* for my VPN which I want to resolve from a public dns server instead.
How do I properly set this up?

I have *.example.com as a host override, but that resolves vpn.example.com to 192.168.10.10 as well

I have tried these additional settings to try to make an exception for vpn.example.com:

• Set query forwarding for vpn.example.com to 1.1.1.1 -> host override takes precedence
• Set a domain override for vpn.example.com to 1.1.1.1 -> host override takes precedence
• Set an additional host override for vpn.example.com to 192.168.1.1 -> causes DNS slowdown/loop (even if pointed to some dummy address like 66.66.66.66)

So is there a way to actually do this with Unbound DNS or do I need to move this to the AdGuard Home plugin DNS, dnsmasq or something else?

[alto]

Nobody?

[newsense]

It's likely you'll have DHCP reservations for VPN clients so might as well provision the public resolver in the reservation profile

[alto]

It's likely you'll have DHCP reservations for VPN clients so might as well provision the public resolver in the reservation profile

I'm not following, how does DHCP affect what DNS lookups I can make from inside my LAN?