Comment by dns_snek
6 hours ago
Because that only protects you from a small subset of possible threats that end-to-end encryption protects you from like DNS hijacking and any MITM-type scenario.
Sticking it on a VLAN only controls access, not data secrecy.
Broadcasting internal IPs on public DNS records is also a suboptimal approach that leaks information to the public. Local devices should be routed over layer 2.
DNS challenge doesn't broadcast internal IPs. Certificate transparency does show up hostnames or wildcards though.