Selfhosted DNS + DNS challenge

I have a somewhat peculiar usecase. I want certain domains accessible from an internal network, but not from the internet. I know this can work through the DNS challenge and a DNS provider. Ideally however, I would like to only give that setup control over a subdomain, not the entire domain. for example, that nameserver/system would then control and so on.

Now, I think I could achieve this by hosting my own DNS server, and pointing the NS record of to that. Then I could make traefik use that DNS server to handle the DNS challenge.

However, I'm not clear how to set this up precisely. From looking at the DNS providers, nothing similar jumped out, except maybe the command/https providers.

Does anybody know a good combination? Ideally something involving simple HTTP requests over a docker network... I guess I could write my own provider but I would prefer not to.