Comment by lxgr
In case you want to look into it further: My router actually allows adding exemptions to this policy on a per-hostname basis!
Sometimes I wish it would allow wildcards, but honestly that's probably just another way for users to shoot themselves in the foot (e.g. by adding '*').
> Sometimes I wish it would allow wildcards
pfSense for example uses unbound, and while it doesn't have a switch for disabling rebind protection, it does allow injecting arbitrary unbound config, which can disable rebind protection for any depth of a DNS zone or IP space. E.g.: