[thebeardisred]

Additionally how do you define publish?

When someone embeds https://test.internal with a cert validation turned off (rather then fingerprint pinning or setting up an internal CA) in their mobile application that client will greedily accept whatever response is provided by their local resolver... Correct or malicious.

[bawolff]

That seems kind of besides the point. If you turn off cert validation, it doesn't matter if the domain name is internal or external.