

That’s a good call out.
There are a few things I do right now:
- All of my public DNS entries for the certs point at cloudflare, not my IP.
- My internal Network DNS resolver will resolve those domains to an internal address. I don’t rely on nat reflection.
- I drop all connections to those domains in cloudflare with rules
- In caddy, I drop all connections that come from a non-internal IP range for all internal services. Additionally I drop all connections from subnet that should not be allowed to access those services (network is segmented into VLANs)
- I use tailscale to avoid having to have routes from the Internet into my internal services for when I’m not at home.
- For externally accessible routes, I have entirely separate configurations that proxy access to them. And external DNS still points to cloudflare, which has very restrictive rules on allowable connections.
Hopefully this information helps someone else that’s also trying to do this.
In this case I run pfSense instead of my ISP provided router. This allows me to have my own DNS resolver, which I can then resolve various domains to internal addresses.
All devices on my network point to my router for DNS allowing them to resolve internal addresses from all of these.