A few things

• move your name server to a public DNS service that has an API like Linode Domains or Route53

• set your public A/AAAA to parked

• setup an internal DNS server and configure devices to use it via DHCP

• Setup Caddy with the DNS plugin for ACME. This will allow you to get certs locally without exposing anything.

There is little reason for companies to pay for certs let alone individuals. Use Let’s encrypt as it is easy and free.