How to override DNS resolver ordering while connected to L2TP VPN

OS: macOS Mojave 10.14 (18A389) Current network setup: * Local domain: home.rossipedia.com * Subnet: 172.16.10.0/24 * Gateway / DHCP server / DNS server: 172.16.10.1 Output of scutil --dns: DNS configuration resolver #1 search domain : home.rossipedia.com nameserver : 172.16.10.1 if_index : 21 (en8) flags : Request A records reach : 0x00020002 (Reachable,Directly Reachable Address) resolver #2 domain : local options : mdns timeout : 5 flags : Request A records reach : 0x00000000 (Not Reachable) order : 300000 ... (mdns common stuff)... DNS configuration (for scoped queries) resolver #1 search domain : home.rossipedia.com nameserver : 172.16.10.1 if_index : 21 (en8) flags : Scoped, Request A records reach : 0x00020002 (Reachable,Directly Reachable Address) This works fine. I can find *.home.rossipedia.com hosts without issue. However, the moment I connect to a L2TP VPN, my system gets reconfigured to use the _VPN_ DNS servers to resolve hosts on my _home_ search domain. $ scutil --dns DNS configuration resolver #1 search domain : home.rossipedia.com nameserver : x.x.x.x <- VPN DNS SERVER 1 nameserver : x.x.x.x <- VPN DNS SERVER 2 if_index : 23 (ppp0) flags : Supplemental, Request A records reach : 0x00000003 (Reachable,Transient Connection) order : 100000 resolver #2 nameserver : 172.16.10.1 if_index : 21 (en8) flags : Request A records reach : 0x00020002 (Reachable,Directly Reachable Address) order : 200000 ... (mdns common stuff)... The scoped queries configuration looks right, though: DNS configuration (for scoped queries) resolver #1 search domain : home.rossipedia.com nameserver : 172.16.10.1 if_index : 21 (en8) flags : Scoped, Request A records reach : 0x00020002 (Reachable,Directly Reachable Address) resolver #2 search domain : first.vpn.domain search domain : second.vpn.domain nameserver : x.x.x.x nameserver : x.x.x.x if_index : 23 (ppp0) flags : Scoped, Request A records reach : 0x00000003 (Reachable,Transient Connection) In my Network System Preferences, I have the VPN connection last in the Service Order dialog. If I move the VPN connection to _before_ my ethernet connection, then my local DNS server doesn't show up in the resolver list _at all_ (while connected to the VPN): $ scutil --dns DNS configuration resolver #1 search domain : first.vpn.domain search domain : second.vpn.domain nameserver : x.x.x.x nameserver : x.x.x.x if_index : 23 (ppp0) flags : Supplemental, Request A records reach : 0x00000003 (Reachable,Transient Connection) order : 100000 resolver #2 nameserver : x.x.x.x <- these are the same as above nameserver : x.x.x.x if_index : 23 (ppp0) flags : Request A records reach : 0x00000003 (Reachable,Transient Connection) order : 200000 ... (mdns common stuff)... ### What I want: Ideally, what I'd like to see when connection to a VPN is something like: $ scutil --dns DNS configuration resolver #1 search domain : home.rossipedia.com nameserver : 172.16.10.1 if_index : 21 (en8) flags : Request A records reach : 0x00020002 (Reachable,Directly Reachable Address) resolver #2 search domain : first.vpn.domain search domain : second.vpn.domain nameserver : x.x.x.x nameserver : x.x.x.x if_index : 23 (ppp0) flags : Supplemental, Request A records reach : 0x00000003 (Reachable,Transient Connection) order : 100000 ... (mdns common stuff)... This way I could resolve all *.home.rossipedia.com hosts via my local DNS server at 172.16.10.1, and any hosts on my VPN domain would be resolved using the VPN DNS servers. I've tried changing the order of services in the Network pref pane, changing the local domain on the DNS/DHCP server, deleting and re-creating the VPN connection, nothing has worked so far. Is this possible? Or am I misunderstanding how this all works?