Actually, if you point a container's DNS at the host (dns: [host.docker.internal] in compose), it works for resolution + ad blocking for the reverse however, I've added it on the radar, thanks!

How does auto-TLS work? It makes a self signed certificate automatically?

Yes — numa install generates a local CA and stores it in the system trust store. When you register a .numa service, it generates a per-service TLS cert signed by that CA

I don't want to hijack the thread, because that's a cool project.

Still, if you're looking for something that "just works" and is widely used, have a look at caddy.