Been running production servers for a long time.

DNS is no issue. External DNS can be handled by Cloudflare and their waf. Their DNS service can can obsfucate your public IP, or ideally not need to use it at all with a Cloudflare tunnel installed directly on the server. This is free.

Backend access trivial with Tailscale, etc.

Public IP doesn't always need to be used. You can just leave it an internal IP if you really want.