yeah true but if the DNS records aren't actually pointing anywhere then there's no real threat no? because everything stays in the internal network

exactly. that was the main thing i wanted to avoid. i also have nginx-proxy-manager in front of all my apps which also automates some things (like requesting new certs or renewing them when the time comes)

i have a similar setup at home. the way i did it was using certbot and dns verification. i pointed my domain's NSs to digitalocean's NS and then i downloaded the certbot-digitalocean-dns plugin, created an API key for DO and stored it somewhere and then certbot took care of everything else. nothing is exposed to the internet