Not sure if I completely understand but I think you want public service 1 accessible on subdomains s1.domain.com and internal service 2 on s2.domain.com?
Just point the A record for s2 to an internal ip address (or a tailscale ip). The only thing dns does is translate a (sub)domain to an ip address. So outside of your network s2.domain.com wouldn't resolve but inside your network it would.