Btw. dnsmasq allows you to restrict nameservers on domains, i.e.
specify a
domain for which a nameserver should be asked. But a different question: How
do you handle reverse dns lookups for the internal ip (vpn) addresses, are
they forwarded to the ISP dns, too? Or do you prevent this somehow?
Those are just more zones you want to be forwards in the "inside" view.
They are even easier to configure automagically, because you just do all
the zones for the subnets that are being routed through the VPN connection.