upvote
I do the same thing. I'm not worried about them seeing my FQDNs.

I use the form of hostname.int.example.com for everything inside my home network. None of which is accessible to the outside world. I use LetsEncrypt with DNS validation to get the certificates.

reply
Fair, but what about names that are specific enough to give an attacker a clue to a potential attack surface, like "authelia.example.com" - now they know you've likely got an Authelia setup, and can start digging for exploitable CVEs etc. I'm in the process of removing all my individual certs and replacing with a wildcard cert served by Traefik. Is that a bad idea?
reply
Can they dig for exploitable CVEs if they're not on the Wireguard network? It is a clue to your infrastructure, but I personally think the simplicity is worth it.
reply
Do the names resolve to publicly routeable IPs? If not, I wouldn't worry about it.
reply
My IaC is on public GitHub. They could do a network scan to find software then fingerprint to find version anyway.

Removing attack surface is better than trying to hide it.

reply
This is similar to what I do, except I have my own authoritative DNS servers instead of Cloudflare.

I'd prefer this over split DNS, any day.

reply