My preference is to register a publicly resolvable domain and then just only use it internally. Then you can still get publicly trusted TLS certificates for it, in case you want them.

Doesn’t stop you from using your own private CA, either, but at least you have the option.

▲

briHass 4 days ago | parent | next [-]

Given how modern browsers are increasingly hostile to long-lived, self-signed certs, I've resigned to paying the .com tax every year for a real domain. There's so many ACME clients now (e.g. HomeAssistant has a plugin), that it's fairly easy to have legitimate certs on internal devices. A side benefit is having a subdomain that can be used as a dynamic DNS record.

Cloudflare (and probably others) let you enter non-routable IPs into their DNS, so myhomeserver.mydomain.com can point to 192.168.1.45 on your LAN without having to run your own DNS/hosts.

	▲	akerl_ 3 days ago \| parent [-]
		Are they? Browsers treat long-lived self-signed certs pretty much exactly how they always have, from what I’ve seen: if you’ve trusted the cert in your system trust store, it just works. If you haven’t, you get a red warning page and have to click to proceed.

▲

isaacdl 4 days ago | parent | prev [-]

I do the same. You can still get neat 4-character domains for cheap in many TLDs (including .net, which just feels right for this purpose).