Windows DNS Server configuration for a specific subdomain and redirect the rest to authority

The application stack has multiple components. e.g. api, public application and internal application. I want to make internal application only accessible from internal network IP ranges. I configured my nginx (reverse proxy) to allow only certain IP ranges (e.g. 192.168.1.0/24). I am using a domain name: mydomain.com

Let's say that the internal application is using the subdomain app.mydomain.com There is also a website (running externally) under (www.)mydomain.com The external DNS (authority) is configured to point to my server's public static IP, which is needed for the public API (e.g. api.mydomain.com).

But on the local network (incl. VPN), I want to direct the traffic internally. For instance, instead of the public IP, PCs should use the local IP, so that only those with local IP will be allowed by the nginx reverse proxy. To do this, I am configuring the Windows AD server also running a DNS Server. I am trying to configure this DNS to direct computers in the network to the server on the local network.

When I try to define a primary zone for mydomain.com with an entry for app.mydomain.com to point to the internal server address, nslookup app.mydomain.com is returning the local IP but mydomain.com or www.mydomain.com do not work anymore.

Is there a way to point for all the other subdomains to the external DNS (authority)?

When I try to configure a secondary zone, the transfer fails. I think that the authority (external DNS) does not let me to do that.

I wonder how can achieve this?