Question Have you ever tried randomly viewing the Synology DDNS names?

Currently reading
Question Have you ever tried randomly viewing the Synology DDNS names?

Geeked

NAS Hosted
Subscriber
137
65
nashosted.com
NAS
DS918+, DS218+(2), RS820+
Operating system
  1. Linux
  2. macOS
  3. Windows
Mobile operating system
  1. iOS
A while back when I was assigning my NAS a DDNS, the names I was choosing were all taken. So naturally I pop them into the browser xxxxxx.synology.me. I was shocked to see so many insecure plex and emby installs. And some even had their port 5000 open! I guess I shouldn’t be that surprised.
 
Lucky me my DDNS name (surname) was still available.
But it's horrible shocking indeed how many people have their network stuff wide open.
I'm not a it expert nor is it my income source but over the years self-taught a lot.
One thing i always keep in mind is to shut the door.
Have to admit as i just started a webserver which is the only thing open from outside my network.
Even then it's auto ported to HTTPS and protected as advised for DDOS/DOS/spamers/firewall rules ect ect.
Don't know what else i can do to protect.
Everything else i always do with VPN to connect to my home network.
 
Lucky me my DDNS name (surname) was still available.
But it's horrible shocking indeed how many people have their network stuff wide open.
I'm not a it expert nor is it my income source but over the years self-taught a lot.
One thing i always keep in mind is to shut the door.
Have to admit as i just started a webserver which is the only thing open from outside my network.
Even then it's auto ported to HTTPS and protected as advised for DDOS/DOS/spamers/firewall rules ect ect.
Don't know what else i can do to protect.
Everything else i always do with VPN to connect to my home network.
That’s best practice really.
 
Last edited:
Don't know what else i can do to protect.
Use DSM's firewall as well as the Internet router's firewall.

You can add rules to the DSM firewall that restrict the source locations of requests, such as:
  • deny from countries A, B, and C. And add multiple of these rules due to the 15 country per rule limit. or
  • if you only want your country, two rules in this order:
    • allow from my country
    • deny from all
It can be a bit 'belt and braces' but you can have a policy on both firewalls. You can even make the DSM firewall policy more restrictive, even to block LAN accesses for some services (such as from IoT devices: if you reserve IPs in DHCP and group IoT in a range ... that can be covered in one firewall rule).

And you could block you DSM admin account from access except from LAN/VPN IP. Only use standard accounts for day-to-day activities.

Oh and I don't allow my admin accounts to use VPN either... create the tunnel with standard users (actually I use a separate group of users managed by the LDAP server) and then access as admin down the tunnels.
 
Yep, DSM firewall is up aswell as the one on my router.
Router is DDOS protected and NAS and Raspberry also.
Firewall rules are also set as picture below.
Tide up false login attempts, Home network only accessible by VPN, everything else gets blocked.
Hope you can read Dutch, whahaha

rule 1, allow everthing from my local network
rule 2, allow everything from my WAN IP (VPN)
rule 3, allow everything only from my home country
rule 4, allow 80/433 from the entire world to visit my homepage
rule5, deny everything else
 

Attachments

  • Naamloos.png
    Naamloos.png
    233.2 KB · Views: 51
Fair enough then!

Only thing then is don't use admin accounts when off the LAN ... to minimise any small chance of exposing these credentials. Same goes for your router ... manage it from the LAN.

Your right,
Fact is my phone which i occasionally use to log into DSM or my Home Automation is always connected to VPN when not using WiFi.
Main reason for it to be always VPN connected is to route my DNS via PiHole.
I know it can be maybe a wrong thought but via VPN i don't worry to leak my credentials.

@jphermans
Yep, at the moment i use xxxxxxx.synology.me for my website which is automatic ported to https (no port 80) and the cert is created via Let's Encrypt.
Do have my own domain name also but not suited for my current website try out.
 
Yep, at the moment i use xxxxxxx.synology.me for my website which is automatic ported to https (no port 80) and the cert is created via Let's Encrypt.
Do have my own domain name also but not suited for my current website try out.
You can have more then 1 domain name. For the 10€ each year you have a .com domain name. Just the ssl certificate was more expensive because let's encrypt gives still not secured warnings in the browsers I have tested. (in het nederlands -> voor het kleine bedrag moet je het niet laten).
 
You can have more then 1 domain name. For the 10€ each year you have a .com domain name. Just the ssl certificate was more expensive because let's encrypt gives still not secured warnings in the browsers I have tested. (in het nederlands -> voor het kleine bedrag moet je het niet laten).

For external domain it's indeed a no go with ssl cert by let's encrypt.
For my synology.me no problems, which i currently use as my main domain name for my website.
Costs aren't high and i could get a cert by my domain name provider for a few bucks.
For now .synology.me and let's encrypt cert works flawless without errors in the browser and suites my needs for now.
 
I believe a lot of users think what’s available is only a synology.me domain, while there is more in the drop down menu.
I had a synology.me and then changed it. It’s too obvious.
I know this is an old thread, but I'm reading thru old stuff trying to learn. I'm currently using the synology.me. I found where I can change to to other domains. If I were to change to other domains, what other settings might I need to update to paint to the currect DDNS? For example, I am currently myname.synology.me. I want to change it to newname.i234.me. I know that I'll have to update my bitwarden reverse proxy from bitwarden.myname.synology.me to bitwarden.newname.i234.me. I'd also have to get a new LE cert, and probably point any externally access containers like bitwarden to the new domain. Anything else I'm missing?
 
I know this is an old thread, but I'm reading thru old stuff trying to learn. I'm currently using the synology.me. I found where I can change to to other domains. If I were to change to other domains, what other settings might I need to update to paint to the currect DDNS? For example, I am currently myname.synology.me. I want to change it to newname.i234.me. I know that I'll have to update my bitwarden reverse proxy from bitwarden.myname.synology.me to bitwarden.newname.i234.me. I'd also have to get a new LE cert, and probably point any externally access containers like bitwarden to the new domain. Anything else I'm missing?
You could just register a new domain name and use reverse proxy for all your services.
 
I don't really understand what you mean. I'll have to update the new domain in the settings I listed above, correct? I'm still wrapping my head around reverse proxy.
I’m just saying that if you do end up using a new domain name you can just use Reverse proxy settings on your nas to utilize that name and forward it to any service/docker continue on the nas.
 
I have a question (I'm a noob): I have set a DDNS XX.synology.me and I am using OpenVPN.

In my OpenVPN config File I defined my DDNS URL and not my IP followed by the port number

Does it mean that who found out my DDNS can also "brute force" the login via VPN?
 
I have a question (I'm a noob): I have set a DDNS XX.synology.me and I am using OpenVPN.

In my OpenVPN config File I defined my DDNS URL and not my IP followed by the port number

Does it mean that who found out my DDNS can also "brute force" the login via VPN?
No.They need the file with certificate, and also they need to know dsm account that has access to use vpn. Also you can use the firewall to control from where access via vpn can be achieved
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Where is the NAS located: any chance that the power button was fiddled with? Also have you checked the...
Replies
3
Views
1,978
is there a device sending WOL? or phrase it differently, did you switch off the WOL possibility?
Replies
2
Views
1,670

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top