systemd-resolved: Unexpected Behavior with Single-Label Names and Search Domain

I am using systemd-resolved on Ubuntu 24 LTS to manage DNS resolution. My goal is to implement split-DNS with the following behavior:

  1. Single-label names should be resolved by a local dnsmasq server at 192.168.2.254 via the enp8s0 link.
  2. Fully Qualified Domain Names (FQDNs) ending in .example.lan should also be resolved by the local dnsmasq server via the enp8s0 link.
  3. All other FQDNs should be resolved using the DNS server configured on the enp1s0 link (provided by my VPS provider).

Current Configuration:

I’ve made the following changes to achieve this setup:

  1. In /etc/systemd/resolved.conf:

    [Resolve]
    # Enable single-labels to be forwarded to remote DNS servers
    ResolveUnicastSingleLabel=yes
    
  2. Modified Netplan configuration:

    • Set DefaultRoute for only the enp1s0 VPS-facing link
    • Added DNS server 192.168.2.254 and search domain example.lan to enp8s0

Here’s the current output of resolvectl status:

Global
         Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
  resolv.conf mode: stub

Link 2 (enp1s0)
    Current Scopes: DNS
         Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS
                    DNSSEC=no/unsupported
Current DNS Server: 10.10.10.10
       DNS Servers: 10.10.10.10
        
Link 3 (enp8s0)
    Current Scopes: DNS
         Protocols: -DefaultRoute -LLMNR -mDNS -DNSOverTLS
                    DNSSEC=no/unsupported
Current DNS Server: 192.168.2.254
       DNS Servers: 192.168.2.254
        DNS Domain: example.lan

Current Behavior:

  1. Queries for FQDNs ending in .example.lan are correctly sent only to the enp8s0 DNS server on 192.168.2.254.
  2. Queries for all other FQDNs (not ending in .example.lan) are correctly sent only to the enp1s0 DNS server.
  3. Single-label queries are being sent to DNS servers on both enp8s0 and enp1s0 interfaces in parallel.

Expected Behavior:

Single-label queries should only be sent to the DNS server on enp8s0 (192.168.2.254), as it’s the only link that has the search domain examples.lan configured.

According to the systemd-resolved man page:

If a name to look up matches (that is: is equal to or has as suffix)
any of the configured routing domains (search or route-only) of any
link, or the globally configured DNS settings, “best matching” routing
domain is determined: the matching one with the most labels. The query
is then sent to all DNS servers of any links or the globally
configured DNS servers associated with this “best matching” routing
domain.

Question:

Why are single-label queries being sent to both DNS servers, even though enp8s0 is the only link with a search domain configured, and thus has the most labels?

Is this a bug in version 255 of systemd-resolved? If not, how can I ensure that single-label queries are only sent to the DNS server on enp8s0 and still meet my other 2 requirements?