That’s a good call out.

There are a few things I do right now:

1. All of my public DNS entries for the certs point at cloudflare, not my IP.
2. My internal Network DNS resolver will resolve those domains to an internal address
3. I drop all connections to those domains in cloudflare with rules
4. In caddy, I drop all connections that come from a non-internal IP range for all internal services
5. I use tailscale to avoid having to have routes from the Internet into my internal services for when I’m not at home.
6. For externally accessible routes, I have entirely separate configurations that proxy access to them. And external DNS still points to cloudflare, which has very restrictive rules on allowable connections.