Welcome to the forum, globstarr!
I heard it’s pretty cool. I only used apcupsd in the (distant) past, so NUT would probably be a big upgrade over that.
I’m not sure that’s possible. But I wonder why you’d need such a thing.
When I was working as a sysadmin, I had my external DNS (1 and 2) setup to answer to host.domain.tldand the internal DNS (3 and 4) setup to answer to host.intranet.domain.tld. But even if a host was accessed from the intranet without the intranet subdomain, it wouldn’t be too much of an issue, because ultimately, the traffic would go something like LAN → router1 → DMZ → router2 → back to DMZ → router1 → LAN (either same lan or another one), so it wouldn’t be getting out on the internet except for reaching the edge router.
However, you will have to explain your scenario deeper. I’m not familiar with Tailscale or how it sets up a wg vpn. Being a VPN, that means you have some kind of local access to the network, so I don’t see the point of not resolving a FQDN host into a single IP, the VPN can just go through to the network. Maybe instead of that, you need routes pushed on the wireguard config to know through which endpoint to go to access your resources.
In any case, the only thing I can think of to solve this would be to have 2 separate DNS servers and each resolving the same domain name, but giving out different IPs. Basically, when you are at home, your DHCP would serve you DNS-H (home), which would resolve host.subdomain.domain.tld into an IP address local on the network. If my assumption is right, you want DNS-O (outside) to resolve the same host.subdomain.domain.tld into the IP address used by the Wireguard interface instead? It would be just a matter of setting up a 2nd DNS and mapping the FQDN to the IP address and have your clients that are connected to the VPN use another DNS.
Again, I’m unfamiliar with Tailscale, but Wireguard itself has a parameter to set a custom DNS server for the client you are connecting to the tunnel to. Under the wgX.conf, add this:
DNS = ip-address
The IP should be of the DNS that resolves the IP addresses of the Tailscale IPs, but for that, you’d have to map them manually.
Still, the problem is that if you don’t disable your VPN, you would still be required to use the VPN addresses, unless again, the hosts on the VPN are resolved as the same IP as on the LAN, which would make having different IPs for the same FQDN irrelevant.
My unfamiliarity with tailscale makes me kinda unfit to answer this question, but if it’s anything like a normal VPN that you self-host, you would still only go to the edge router at most and come back to the internal network, so not leaving to the internet. But if the gateway is something on the internet, then I guess I would understand not wanting to go from the local LAN to the internet and back on the LAN.
Still, there are issues with changing the IP addresses on the fly, due to TCP handshakes. TLS is a layer7, so it doesn’t really matter so long as the domain remains the same.