Set up an internal dns server that will resolve your specific host name to an internal ip and forward everything else.
If you just want a specific site, you can use bind and response policy zones. The advantage of this is that you can now configure your dns server to take advantage of block lists on the internet and block malware/ads/tracking domains.
Setup nginx as a v6 to v4 reverse proxy. Or the inverse if you have a public v4 in a vpc to use as a dmz.
Pfsense has an openvpn server and client built in. Also if you are using site-to-site ipsec vpns it can be useful. I think it will also use the extensions if you run a web proxy to inspect tls traffic. If you just use it for a nat gateway, then you don’t need aes-ni or even most of the features Pfsense provides.
It’s github. Submit a PR
If it is caching you can always set a ttl to a lower value like 5 seconds. And systems should be clearing the dns cache on a new ifup.