DNS search suffixes for non-internal services

It seems from the documentation and some experimentation that the DNS shortcuts for peer services, e.g. auth.myapp.convox.local, auth.myapp, auth are only set if the service is internal: true.

Is this true, and if so, is there a reason it applies only to internal services? It seems like a common use case to have a service that is used both internally and externally, and that internal traffic could stay within the VPC.