I use the form of hostname.int.example.com for everything inside my home network. None of which is accessible to the outside world. I use LetsEncrypt with DNS validation to get the certificates.
Removing attack surface is better than trying to hide it.
I'd prefer this over split DNS, any day.