Obfuscating (changing default) port numbers isn't really good security practice. I do understand however you would like to use your custom DNS entries over SSL.
I use the same method for my internal sites, however I lock everything down using both the built in firewall on the network interface and reverse proxy ACL -- found in the Access Control Profile tab on the Application portal page -- again only allowing access from my local subnet, eg. 192.168.1.0/24 (only in two instances I allow ingres traffic from a specific public IP address) and a DENY ALL als the last rule.
Then you can either use the OpenVPN server on your Synology (or if your router supports OpenVPN you could alternatively use that) to dial into your local network from devices that aren't part of your local network (eg. tablets, smartphones and laptops on the go).
If you don't want to go through all that I would strongly suggest at the very least indeed switch to an abitrary TCP port somewhere in the 40,000-50,000 range, adjust your forwarding rule on your router accordingly and enable the firewall on your interface to allow only traffic from from your country. Hackers and script kiddies port scanning your machine will be bad enough from just your own country.
Ps. If you want to make your DSM accessible from the Internet do enforce two-factor authentication for every single account that has DSM access.
Ps2. Do yourself a favor and clean up any personal identifiable information (eg. custom DNS records and or your public IP address) from your posts. You are basically inviting people with nefarious intent.