Services with FQDN + lets encrypt in local network

I did buy domain, for example

I did configure unbound service which is running on opnsense router to override all hosts for to give IP of my home server. So when I am in local network (at home) and asking for * I get local IP of server.

My home server is running SWAG (nginx reverse proxy) and using Swag is using dns validation method to get letsencrypt certificate. All services are accessible over When I want to access my home-assistant I used

I did configure DNS records at my registrant and A record and all hosts are pointing to webhosting where I also hosting another domain. Basically I have created simple web page for So when I am out of local network (not at home) then browsing * I get that simple page.

my laptop or my phone are using local services provided by home server over That is working well in local network. But when I leave home my laptop and phone are trying to resolve and getting that webhosting IP so they are trying to continue in communication and can leak some data. Or for example home-assistant app start to notify me that it cannot connect Or davx is reporting wrong certificate.
What do you think?
How do you do that?

I forgot to mentioned. I dont want to have those services accessible from internet. They will be accessible only from local network.


Your question is not clear, is the goal to not have those sub domain queried when not on your home network?

one option is to remove A record for at registrant and also remove webpage from webhosting. So resolving in internet will fail, will get answer without IP that means that app on phone or laptop will not continue is process making a connection. To have static webpage and resolved in public internet is not necessary for my scenario.

yes, because local traffic become wan traffic. so how to avoid that?

If the devices are outside the home network the domains won’t resolve but if you are worried about leaking the names of those domains then close the apps and pages that are trying to resolve them.

This is what I do. If you are using the DNS01 challenge to get the Letsencrypt cert from your domain DNS provider, you only need an A record or CNAME on your local network DNS Server for your internal services.