The issue
For purposes of my local network, and for my convenience I have dedicated a subdomain to point to my local reverse proxy.
A record *.internal pointing to 192.168.0.101
My domain is connected to cloudflare, and according to dnschecker this record works.
Though I found out, that only couple browsers properly resolve it, that is Edge in Windows 10, Safari and DuckDuckGo on iPhone 12.
I am using 1.1.1.1 and 1.0.0.1 DNS servers in all of my devices.
Testing
Now I investigated further, and testing multiple public DNS servers against my subdomain I failed.
Testing was done with dig command below, and on these providers' servers:
Google, Control D, Quad9, OpenDNS, Cloudflare, CleanBrowsing, Alternate DNS, and AdGuard DNS.
dig test.internal.example.top @8.8.8.8
all of them timed out with
;; communications error to 8.8.8.8#53: timed out
; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> test.internal.example.top @8.8.8.8
;; global options: +cmd
;; no servers could be reached
I successfully resolved my subdomain on servers 1.1.1.1 and 8.8.8.8 using dnschecker website. It's most likely not the issue with public DNS servers.
I expect it to be an issue with some sort of security feature, but I can't pin it down.
I don't want to set up my own DNS server.
If you plan to have a private network with DNS, you should be configuring your own internal DNS servers that provide visibility you like.
Both browsers and DNS servers have taken steps to limit the use of public domains with PNA addresses over time, for the obvious reasons.
The most basic is that this might work great for you... but as a public domain it is bad to have DNS entries point back into someone's private network address space. It might confuse people that wander into your DNS domain, and bad actors can use that to setup various creative attacks.
There's a lot of context to this, and it doesn't solve all security problems, but I hope that make sense, in brief.