Maybe I don't get the question.
How does setting DNS name expose your application to attacker more? That's just the name for (v)Host address. It doesn't make sense to me, once service is published on the internet DNS record doesn't make it more or less vulnerable.
If you have on-premise installation you can make whatever DNS record on your local DNS server and route that traffic to the desired destination and set IIS/Apache/NGINX to serve correct application.
If it is on cloud and you have such possibility to configure DNS record to be processed directed to your vHost – it should work.
One could disccover application nodes that are not indended for public access simply by enumaering and repeating the patterns used in the name of the domain such as ap1.bla.com , ap1-t.bla.com , ap1-a.bla.com (for production node, test node and acceptance node).
Another option is to dig into the SSL – but there for security reasons I would not reveal more info.
Anyway big brother such as Google/Microssoft etc they know everything because the browsers and OS can reveal the information as well and pass it on as “telemetry data”.
Anyhow all the nodes must be properly configured and security applied, but you know – during teh developemt things may happen and I would like to take every opportunity to protect our environment and applciations.
Nevertheless – lets come back to my quesion – do you have experience using internal DNS names and internal certificates? I consider it as a secondary measure (primary is of course encryption and proper authentication)