By Nethserver perspective, is correct what i wrote:
DNS i used only for local network and internet cache.
If internet query some of the public DNS hosts/zone should query the SOA, usually (in italy) the DNS of the registrar/maintainer of the domain.
Based on the headline of that link, it’s dealing with Certificate Transparency logs, which are now mandatory for all public CAs. Thus, if you get certificates for your internal servers using Let’s Encrypt, they will be published to CT logs, and the world will be able to see the names being used. One way to avoid this would be to use a wildcard certificate, which you can’t do through the Neth GUI, but this wiki article gives a way to do it (and this article gives another way). That will not, however, disclose the IP addresses of those internal servers.
Correct–it doesn’t act as a public-facing DNS server. It does with my acme-dns module installed, but that’s only for a very limited purpose. But if you’re concerned about internal hostnames being exposed, the only way to avoid that is either to not get certificates for them, or to get a wildcard cert.
In this case, we actually have (2) domains registered.
One is external and used for company email addresses i.e. @widgets-external-use.com – with the email being manged by another provider outside with most users using that providers webmail solution (i.e. Google, Microsoft, hosted business email, etc.). I suppose one day it will have a public website as well. That domain is not used anywhere inside.
The other similar sounding domain like widgets-INTERNAL-use.com we registered intentionally to be used for the inside network - with possible VPN connections/remote workers to the corporate lan later. This is the domain we’re using with nethserver and for our servers and resources behind the firewall.
So it looks like we’ll research more on the solutions you’ve posted and get a wildcard certificate through LE.