I just use a VPN like tailscale or wireguard. You can normally also tell clients what DNS to use when on the VPN