Is there a security vulnerability in setting a public DNS entry to a private IP Address?


I recently set up a wireguard server-network configuration with a home server and client devices. I have one main domain that I hope to route everything through via subdomains (in this example, abc.domain.com, def.domain.com, etc.). I hope to use nginx to do this routing.

Is is possible/secure/recommended to register a private IP address (specifically of my home server within the wireguard network, i.e. 10.27.0.1/24) in a public DNS (e.g. google DNS), so that if you run ping abc.domain.com you would get back 10.27.0.1? I found a few questions that answer a question that are close to this one (this one covers private IP for public DNS for MX records, this one talks about having A records without much mention of VPN), and the overall picture I get from these links is that it is possible, but not technically perfect since a hacker gets a small piece of info about your local network (wireguard network is 10.27.0.1/24…isn’t this relatively a moot point given it’s behind wireguard, assuming I have all of the usual safety checks in place (no remote ssh (root or otherwise) unless on wireguard network, fail2ban, no password authentication for ssh, etc.)?

This IP (10.27.0.1) would be only accessible through the wireguard network, so I don’t think it would expose the services to the internet. I want to do this so that I don’t have to setup local DNS entries on each device, as I don’t believe this is possible on a phone, and it would be ideal to make one change [i.e. set the DNS entry to 10.27.0.1] and then have each device just running a simple DNS query for abc.domain.com. This would also have the added benefit of only opening the wireguard port, and keeping the firewall closed for 80 + 443.

A corollary of this question is how best do you manage certs/ssl if this is possible? I managed to get certbot working by temporarily exposing port 80 on my server to acquire the certs for abc.domain.com, and then closing 80 to only access the webserver via wireguard through the wireguard port + nginx. I can already see one downside to this method – having to manually open port 80 everytime certbot wants to get new certificates (I believe by default this is every 60 days). I understand that wireguard is approximately as secure as SSL/HTTPS, but for my personal OCD I would prefer to have the connection secured through https on top of wireguard. I’m somewhat iffy on the details of managing certs for wildcards, but could I do it with my main domain.com (that is pointing to a internet facing site) and have it propagate to the subdomains, allowing it to be renewed through that? (this question seems to indicate so)

My goal long term is to expand this into a network that includes family/close friends as a type of ‘intranet’ for sharing photos and using other self-hosted services.

My nginx config file (abc.conf) looks something like this:

server {    server_name abc.domain.com;   # DNS Entry of abc.domain.com is 10.27.0.1, which is the local IP for the wireguard network   # SHOULD NOT be accessible outside of wireguard network    location / {       proxy_pass http://127.0.0.1:8000; #Redirects to local service on port 8000   }       listen [::]:443 ssl; # managed by Certbot     listen 443 ssl; # managed by Certbot      // SSL Certs provided by certbot [removed manually]     // .     // .     // .  }