DNS server issues

Currently reading
DNS server issues

gdb19

Byte Poster
NAS
Synology DS218+
I’ve been messing around a lot recently with my ds218+ as I’ve been off work after a back op. Learnt quite a few things but I’m still struggling to get one thing sorted that’s bugging me.

I’m using the letsencrypt linuxserver docker image as a reverse proxy as it just seemed to be a little better than the built in application portal in terms of managing certs, enforcing https and also being more customisable. I did try traefik and caddy but struggled with both of these. Ideally what I’d want is to use this to access something like organizr as a front end into all my apps but I have two issues

1- nat loopback is hard blocked on my router which prevents me from using the same url as the main tab url and local tab url on organizr,
2- I’m running letsencrypt in a new docker network (to avoid having to link containers manually) and I think due to this all ip addresses that come into organizr show as the ip of my docker network gateway so it never recognises any connection coming in via letsencrypt reverse proxy as being from external.

To get round the above I was hoping to use the built in dns server. I’ve done this previously to allow me to bypass the Nat loopback issue and allow me to use the same url all the times when using the built in syno application portal and syno ddns. I can’t seem to get the dns server to work when I’m using s third party dns (duckdns) I’m conjunction with letsencrypt docker as a reverse proxy.

Has anyone been able to do this? I’ve added mydomanin.duckdns.org as a new master zone and defined a records for all my apps but nothing loads.

Is there any working alternative to the built in dns server, maybe pihole - not sure how to get this running though?

Thanks
 

Shadow

Kilo Poster
NAS
DS216+II, DS118
Router
RT2600ac, MR2200ac
Boy. You are using so much custum stuff instead of using the default builtin DSM stuff, you are questioning the functionality of the custum buitin DSM stuff that actually works fine?
 

Rusty

Moderator
NAS Support
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
RT1900ac, RT2600ac, MR2200ac
I’ve done this previously to allow me to bypass the Nat loopback issue and allow me to use the same url
So when was this working before and not now? Not now in combination with LE docker image or what?
I can’t seem to get the dns server to work when I’m using s third party dns (duckdns) in conjunction with letsencrypt docker as a reverse proxy.
Also guessing you are runnning a 3rd party domain thats registered via duck? The main question that I have is why are you using LE for revers? Is the nginx thats built in so bad and not working for you? Would understand if that same LE is being used for generating wild card cert for your custom domain, but I'm just guessing here considering you didnt mention it.
To get round the above I was hoping to use the built in dns server
How did you configure your master/forward zone in this scenario?
 

fredbert

Giga Poster
To get round the above I was hoping to use the built in dns server. I’ve done this previously to allow me to bypass the Nat loopback issue and allow me to use the same url all the times when using the built in syno application portal and syno ddns. I can’t seem to get the dns server to work when I’m using s third party dns (duckdns) I’m conjunction with letsencrypt docker as a reverse proxy.
Does the DSM DNS Server work for other services that are configured to use it, and it's only the LE RP container that's not working?

My use of DSM DNS Server is to create master forward and reverse zones for my personal domain. For other zones the server is configured Forward First to general Internet DNS services. I have another DNS Server running on RT2600ac as a slave zone with the Forward First pointing to DSM DNS Server first and an Internet DNS second. My devices are working with this setup where SRM DNS Server is the primary DNS and DSM DNS Server is secondary.
 

gdb19

Byte Poster
NAS
Synology DS218+
Thanks for all the replies, I’ll try to answer all the questions here.

I did find the built in le cert and application portal reverse proxy worked ok but I had a couple of issues. I found the interface a bit clunky to add all the apps i wanted to the cert when generating it. I have about 13 or so apps that I wanted to access and couldn’t use a wildcard or fit them all on the cert request. I also found that I got warnings about the generated cert not being trusted on my iPad - using letsencrypt docker these are not an issue.

The dns server works for my synology ddns just not the duckdns domains that are reverse proxies via the letsencrypt docker container. My assumption is that this is because I’m using non standard http/https ports for le and have forwarded these via my router for external traffic but I’m guessing any internal traffic still goes to 80/443 and that’s why I get the DSM login page when I try to access for example sonarr.xxxxx.duckdns.org from within my Lan.

I’ve attached a photo of my current dns server setup for my duckdns domain.
 

Attachments

gdb19

Byte Poster
NAS
Synology DS218+
I’ve just had the latest DSM update on my nas which includes auto generating Let’s encrypt certs when setting up the synology ddns so I thought I’d give the built in certs/reverse proxy another go.

I don’t know if I’m missing something here but I have a problem where the certs generated are not trusted on my iOS devices.

I’ve deleted and re added my synology ddns via control panel and that has generated a new cert from LE covering all my reverse proxied apps. When I access for example sonarr I can see that iOS safari is being presented with that newly generated cert but my iOS devices say it’s not trusted.

I’ve tried exporting the cert and adding this to my iOS profiles and can see it says the cert is verified there but I still get the warning message saying the cert is not trusted. I’ve restarted my iOS devices but still no joy.

Any idea what I’m doing wrong here? Using the linuxserver letsencrypt container I didn’t have to do anything, the certs that we’re generated were trusted by iOS.
 

Rusty

Moderator
NAS Support
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
RT1900ac, RT2600ac, MR2200ac
I have had a similar situation when the LE cert that was active was not a combination of *.key file and *.pem file where *.pem file as a simple cert and not a fullchain.pem. Most devices (browsers) would not work until fullchain cert was used.

Considering that I'm not using the built in method no more (but a LE docker image), can't say if this is something that can be manually altered.
 

gdb19

Byte Poster
NAS
Synology DS218+
Ok thanks for the quick reply, what’s the LE docker image that you use please? Just wondering if I could use that to generate a cert for all my apps and import into DSM.
 

Rusty

Moderator
NAS Support
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
RT1900ac, RT2600ac, MR2200ac
I’m using linuxserver/letsencrypt image
 

gdb19

Byte Poster
NAS
Synology DS218+
Cheers. It does work really well - I might just stick to using it, forget about my dns issues and just have separate instances of organizr and heimdall for internal and external access.

Other think I might have a play around with is running an instance of linuxserver letsencrypt just to get certs that I could then use in DSM.
 

Rusty

Moderator
NAS Support
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
RT1900ac, RT2600ac, MR2200ac
Other think I might have a play around with is running an instance of linuxserver letsencrypt just to get certs that I could then use in DSM.
Well, personally I went with it because Syno is not likely to support wild card certs any time soon. If I am to refresh them every 3 months, might as well be for a custom wild card cert that supports any subdomain that I need/want.
 

gdb19

Byte Poster
NAS
Synology DS218+
Yep, it does work really well.

Only odd issue I have with the letsencrypt docker is that I can’t seem to get the real ip address of the client to flow through into my apps. I use organizr and it would be ideal if I could get the real ip as I’d be able to open a local url when on my Lan and remote url externally.

For some reason all I get is the ip of my docker network. Still digging into this.
 

Rusty

Moderator
NAS Support
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
RT1900ac, RT2600ac, MR2200ac
So you are running that container for reverse proxy role as well or what? Not sure what you mean about getting a real ip (your NAS ip) of the client to flow through
 

gdb19

Byte Poster
NAS
Synology DS218+
I am running letsencrypt as a reverse proxy at the moment yes.

I’m using organizr as a frontend for all my apps and that has the ability to set a url to be accessed for an app when outside my Lan and a separate one for inside. So ideally to make it transparent I’d like to be able to set my ddns name for external and my local op for internal.

Unfortunately organizr doesn’t detect that I’m outside my Lan when I try to access via my phone on 4g. I think this is something to do with docker and how networking works. There is code that has been recommended by organizr support on discord to pass the real ip through in the header through Nginx so that organizr recognises external access but it’s not working for me.

I’ve setup a new docker network so I can communicate cross containers using the container name instead of IP address. This has a default gateway of 172.18.0.1 and that’s the IP address I see logged in the access logs in Nginx in letsencrypt for any request be it over 4g or my Lan. If I saw the ip of my phone then organizr would work as intended.

Hope that makes sense
 

Rusty

Moderator
NAS Support
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
RT1900ac, RT2600ac, MR2200ac
I’m using organizr as a frontend
Heimdall is not an option for you then? Also you (I'm guessing) are having NET loopback probelms (not able to use FQDN inside your lan) and thats why you are running with 2 address formats for the same "app"?
 

gdb19

Byte Poster
NAS
Synology DS218+
My router doesn’t allow Nat loopback and I can’t get the built in dns server to work with my current reverse proxy setup so no way for me to use the same link inside and outside my Lan.

With the synology ddns I can as I can get the dns server to work as expected but I then have the annoying cert issue.

I do use heimdall as well and quite like it. At the moment the best workaround I’ve come up with is to have heimdall setup to use internally with 192.168....... addresses for all my apps and organizr setup with my duckdns ddns names for external use.

It all works I’ve just been playing around trying to make it just how I want it as I’ve had time on my hands recently.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Top