I use WireGuard (as part of WireHole) to allow my mobile devices to access my internal network when I’m not at home. I use an nginx reverse proxy container so I can use hostnames and SSL to access all my internal services, but some of these are public services and some of them are private.
I have all the hostnames registered with my registrar, and I have the private ones set up with private IPs for the A record. This ensures only my local devices (and my WireGuarded devices) can still benefit from the reverse proxy, but the services remain private.
I experienced an issue a while back where I was away from my home and my phone was able to properly access everything on my internal network, but the hostnames wouldn’t work. One of the solutions commonly presented was to add the domains into Pi-holes DNS, but I really didn’t want to do that.

It turns out that Unbound does not by default allow domains to contain private addresses. I found the directive here to except domains from this behavior and added my domains to my unbound.conf with private-domains: (then restarted the container). The exceptions apply to subdomains as well. This solved a two-day headache for me and now everything works as expected.