Can’t provide you with a step-by-step fix myself, but a parallel.
(…and what I believe is a direct fix in link below).
All outbound from my LAN is examined by pfSense running Unbound & pfBlockerNG-devel, …and some other stuff not related to your question.
DNS queries for 4 million “malicious” sites are redirected to a one pixel “web page” on pfSense – over 400,000 times/month. Sorry user: my LAN, I decided you can’t go there. Justification: my public IP address..
…DNS re-redirection (by pfBlocker).
NTP queries redirected to pfSense itself (pfSense uses a nearby Stratum-1 server that has local Stratum-0 GPS access). Sorry user: my LAN, I decided you will use my Time. Justification: log comparison if issues.
…port/protocol redirection (by pfSense).
Redirecting DNS/ports/protocols to wherever you want is very-evidently do-able from the above examples
…I just don’t need to do what you want to do, so can’t provide a step-by-step.
What I do is simple pfSense GUI stuff.
A link showing how to persuade Unbound to do EXACTLY what you ask::
https://dnswatch.com/dns-docs/UNBOUND/
…it is long …it is technical …it is command-line, and you need a box running Unbound..
A quote from that link:
“We can setup Unbound to spoof the dns query of LAN clients so instead of getting the external address for the external name, they receive an internal ip for the external name. webserver.example.com which normally resolves to 111.222.333.444 now resolves 10.0.0.222. 10.0.0.222 would be the same web server which is located on the inside of the firewall in a DMZ”.
Chris