DNS local domain anti-spoofing on Windows 7?

Question

I'm looking for a way to customize the DNS resolution policy on Windows 7 as follows:

1) For certain private domains, the request should be forwarded to a secure server of my choosing (likely VPN-connected). 2) For all other requests, they should propagate as normal through the Windows DNS resolution system (ie the DNS servers from DHCP, in binding order, etc.)

The main impetus would be to protect this private domain from spoofing (for example, in case I connect to a friendly free-WiFi hotspot which kindly forwards all hostnames to some proxy, causing my private connection requests to be directed to Starbucks' gateway server, which is conveniently in a non-private IP block - thus passing through my firewall as well).

I've looked into a few solutions; the most promising seems to be running a personal configurable DNS forwarder on my system, with a kludge dummy adapter with 127.0.0.1 as a static DNS entry at the top of the binding list; this should force all DNS requests to pass through my forwarder, which can then filter and handle the private domain requests as necessary. The problem lies in handling the remaining requests; passing them back to the Windows DNS stack seems like it would just produce an infinite forwarding loop, and no implementation (as far as I know) has special functionality like collecting the DNS server entries from Windows DHCP (other than the dummy entry) and trying them one by one.

Letting the local forwarder stay silent seems like it may be a partial solution, since Windows will go on to try the other DNS servers; the worry is that Windows, in being "smart", may decide to skip the local forwarder on future requests as well; furthermore, there is the problem of incurring an ~2 second timeout on every new DNS request, which would be unfortunate. An NXDOMAIN response would not work, since this would be binding (ie Windows would not continue trying the remaining servers).

As a side note, unfortunately using a public DNS server (like OpenDNS, etc.) at the end of the chain also won't really work - as it happens, my laptop also connects to other private networks, which have their own private DNS servers and internal hostnames, served of course by DHCP - I want to avoid setting up a manual configuration for that as much as possible.

Also tried setting up DNSSEC for my domain, until I realized that Windows 7 nicely includes DNSSEC support, but not a verifier; since it simply follows the "authenticate" bit set by its local friendly DNS server, it clearly won't do much against a spoofer.

TLDR: I want to interject some custom handling to forward DNS for my personal domain to a personal server, but leave all other DNS handling with Windows' default behavior. Anyone have tips?

EDIT: As an addendum, should note that I'm looking for a system-wide solution, not just for Firefox - the connections in question are file shares, among other services.

Answer 1

Found the answer just now - Windows 7 and Server 2008R2 apparently both contain the Name Resolution Policy Table, a feature intended for just this purpose, to direct and secure DNS queries filtered by domain name (and/or prefix). I had heard that it supported DNSSEC enabling by domain name, but I hadn't found out that it also supports direct access policy (ie specifying a specific set of DNS servers to query for particular domains, exactly what I'm looking for). Just tested, and the NRPT policy in combination with relevant firewall settings blocks off the domain names unless connected directly to the private network. Self-answering this, but leaving the information here for reference by others (seems like an amazingly useful feature for people securing portable computer equipment).