I started integrating Authentik lately based on seeing people recommend it. It has pretty steep learning curve. I had to follow tutorials and even then each integration have its own quirks. I got stuck on integrating my internal e-mail server with ldap provider (via authentik). It’s definitely capable but it’s a project to integrate all services.
I think there are many levels to approach this problem. First off the obvious investigate why your org DNS is having issues. This is IT request they should fix that. They should have SLA on this critical service and not fixing it should escalate to management. There may be many reasons why resolver is not working specially in complex multi site setups. This is the best option as it solves this and probably other DNS related issues.
The rogue approach: On other side if you only host service for handful of users that you personally know and you have ability to edit your hosts file, you can bypass DNS completely. This isn’t ideal as it has to be done one every system and in case your IP changes you will have to do it again. It would largely depend on your level of access to system. If you even can change hosts file.
Alternative crazy idea is to host your own DNS. Change DNS setting on your network configuration. Then point your dns to your org dns. Same problem as hosts file you will need to do that for all systems that need connectivity.
Expanding on own DNS approach you could go as far as hosting your own network. WiFi or switch in case you need Ethernet cable connection. You can buy used enterprise equipment for cheap plug it in l, configure to point to your own DNS and anyone connected to your network would have your settings. Of course this is super shadow IT and I would discourage from pursuing that.
Less crazy and rogue option is to use something like tailscale (or similar) which would have DNS (magic dns). You would need agent installed on every client.
Here is my security point of view. Second instance would be too much overhead for just one use case of sharing file. You have to decide how comfortable you are with exposing anything in your private network. I would personally not expose Nextcloud instance because it’s complex application with many modules each possibly having 0day exploits. If your goal is to share a file and selfhost I would look into dedicated apps for that purpose. You can setup simple microbin/privatebin on dedicated hardware in DMZ network behind firewall. You should run IDS/IPS on your open ports (pfsense/opnsense have that nicely pairs with crowdsec). You could also look into cloud fare tunnels to expose your dedicated file sharing app but I would still use as much isolation as possibilities (ideally phisical hardware) so that it would be not easy to compromise your local network in event of breach. Regardless selfhosted solution will always pose risks and management overhead if you want to run a tight setup. It’s much easier to use public cloud solution. For example proton drive is encrypted and you can share files via links with people.
If you have adguard on port 53 that will be your first hop and main DNS server. If you setup rewrite on adguard to point *.local.my domain.con to 192.168.1.777 that should be good. Next ensure your DHCP server sets correct DNS server for clients.
https://docs.opnsense.org/manual/dhcp.html
Next I would ensure that the client you’re testing with is pointing to the adguard DNS. In this case your open sense router on port 53.
Depending what you’re testing with on Linux you can check /etc/resolv.conf
You can run dig command to point directly to your adguard server to verify it works and you have connectivity
dig @192.168.1.1 something.local.my domain.com
Friend did recently the whole opnsense setup with managed switch and wireless AP SSID’s for each VLAN and always on VPN for some networks.
The nice thing about vm with nginx proxy manager or just nginx running on the same host as the rest(or majority) of vms is that internal traffic doesn’t traverse other devices. This only applies if your backend services are not configured with TLS so you’re effectively terminating at proxy and run unencrypted traffic to backend. That being said chances of some packet sniffer running on your internal network between proxy and destination VM is low.
I’m in similar situation as you. I run overpowered router that barely sees any CPU usage.
I tried Nginx opnsense plug-in but looks like GUI doesn’t support proxy by header (locations are path based). I don’t want to ssh and mess with raw config files. I’m running HA proxy on opnsense router. I saw in community forums most people use that. After going through tutorial for one service it’s pretty easy to grasp configuration concept and replicate for other services. I think only one confusing option is that backends pools and rules can have backends configured and you can have only one in use when assigning rules to public service. Test syntax button ensures you don’t make mistakes. HA proxy has powerful options for backend more than you probably need. I moved router management port to higher number and setup proxy to run on 443. Then wildcard DNS entry points to router and that allows to keep adding services as needed.