Subdomain names, different IP addresses and DNS loopback

SDMFer

SDMFer

SDMFer

Associate
Joined
10 Nov 2013
Posts
57
Location
Manchester
So I have a Synology NAS that I remotely connect to via the Quickconnect relay service, however I am unsure as to the security involved, feel it is slower to connect than a direct connection and if I want to run any of the backup options I require a domain name rather than a Quickconnect ID. I have a static public IP address with Zen, but need a domain name to get an SSL certificate (essential for security!) - I believe using the built-in synology.me DDNS subdomains do not work with a Let’s Encrypt certificate.

My questions are thus:

1) If I purchase a domain name, e.g. example.com, can I direct the subdomains to different public IP addresses? Such as site1.example.com to my home IP address, site2.example.com to my work IP address and so on? This way I can purchase 1 domain name but be able to connect multiple NAS boxes at different sites.

2) My home router, a Fritz!box 7530, employs DNS rebind protection, however I can make an exemption for my subdomain. Is this a massive security risk or is it relatively safe for this single exception? It would be a right pain to have to keep changing the login details in the apps depending on where I am.

3) If I can point a subdomain to my parents’ site (dynamic IP provider) to be able to backup their NAS, can I still obtain an SSL certificate even though I have to use a DDNS provider?

4) Is any of this sensible or is it just easier to stick with using Synology Quickconnect as I mainly use the iOS apps? (This may be outside the scope of this forum but I’ll ask anyway!)

I am obviously not massively clued up on the domain name stuff, so would appreciate any advice given!
 
SDMFer said:
1) If I purchase a domain name, e.g. example.com, can I direct the subdomains to different public IP addresses? Such as site1.example.com to my home IP address, site2.example.com to my work IP address and so on? This way I can purchase 1 domain name but be able to connect multiple NAS boxes at different sites.
Click to expand...

Yep. When you setup the DNS just setup an A record for site1.example.com that resolves to the IP address you have at home. Repeat for site2 and so on.

SDMFer said:
2) My home router, a Fritz!box 7530, employs DNS rebind protection, however I can make an exemption for my subdomain. Is this a massive security risk or is it relatively safe for this single exception? It would be a right pain to have to keep changing the login details in the apps depending on where I am.
Click to expand...

I don't think you need to make any changes. The rebind protection implementation in a Fritz!Box is (AFAIK) purely to protect access to the web interface of the Fritz!Box. SO as long as you keep accessing the management interface the same way as you currently are then it should be a none issue.

SDMFer said:
3) If I can point a subdomain to my parents’ site (dynamic IP provider) to be able to backup their NAS, can I still obtain an SSL certificate even though I have to use a DDNS provider?
Click to expand...

Yes, though the process for getting an SSL certificate will vary. GoDaddy.com for example require you to confirm ownership of the domain before they'll issue a certificate. But you don't own the DDNS hostname, so you can confirm ownership.

What you could do is setup a DNS CNAME, effectively an alias. So let's say you setup a DDNS entry for parents.ddns.com, you can add a CNAME record in the DNS for example.com that points to parents.ddns.com. So if you resolve parents.example.com it'll ultimately resolve to the IP address that's behind parents.ddns.com.

You could then get an SSL certificate that's issue against parents.example.com rather than parents.ddns.com.

SDMFer said:
4) Is any of this sensible or is it just easier to stick with using Synology Quickconnect as I mainly use the iOS apps? (This may be outside the scope of this forum but I’ll ask anyway!)
Click to expand...

You've nothing to lose, so give it a try. If you find things work better the way you're currently doing it then revert back to that setup.
 
the-evaluator said:
I don't think you need to make any changes. The rebind protection implementation in a Fritz!Box is (AFAIK) purely to protect access to the web interface of the Fritz!Box. SO as long as you keep accessing the management interface the same way as you currently are then it should be a none issue.
Click to expand...

I thought I’d run a quick test with this, setting up a Synology DDNS subdomain (xx.MyDS.me) to connect to my NAS. Running off my phone’s 4G data, it connected no problem. Via WiFi, nothing. However, when I added the subdomain to the DNS rebind protection exception list, the subdomain name when connected via WiFi (i.e. in the LAN) takes me to the router login page?!

I’m sure this is all very secure but I’m not sure this router is going to let me connect to the NAS with an external domain/IP address whilst being on an internal IP address. Never mind...
 
Look for a setting in the router called NAT hairpinning. Enable that and then try again to access it again from within your LAN.

The reason it's not working at present is that the IP address you're connecting to is the WAN IP address of the router. The router knows this and knows that you're an internal client so it's ignoring the port forwarding rule and serving you whatever is running on port 443 on itself - the management interface.

NAT hairpinning will effectively tell the router to apply the port forwarding rule to traffic that's generated internally. As such that traffic will then reach your NAS.
 
You must log in or register to reply here.
Back
Top Bottom