Help understanding DNS Server & NAT Loopback

Currently reading
Help understanding DNS Server & NAT Loopback

148
32
NAS
DS1621+, DS1019+, DS218+
Operating system
  1. Linux
  2. macOS
  3. other
Mobile operating system
  1. iOS
I read somewhere about NAT Loopback and if used with your own domain name and it will connect through the local network instead of connecting to it through the internet back home to the NAS. Is that correct?

I followed this tutorial on setting up DNS Server Set Up a Local DNS with Synology DiskStation and all seems fine.
How do I test/check that if I go to my domain name (e.g. nas.example.com) it's connecting via the LAN rather than through the internet and back to the NAS?


On my router I set the Primary DNS to the IP address on my DiskStation (192.168.0.19), is that the correct thing to do?

Screenshot 2019-09-13 at 10.05.07 am.jpg



If so, if I wanted to setup DNS Server on my RT2600ac instead of the DiskStation presumably I'd set the Primary DNS to the IP address on the RT2600ac (192.168.0.1) and that would automatically go through DNS Server on the router?
 
You can use DNS Server on both the NAS and router, and in fact will provide some resilience and backup too.

On the router's DNS Server you create slave zones for the master zones you created on the NAS DNS Server. You may want to use the zone settings to limit which devices can access and do what: depends on you environment. For each zone you can then setup Forward First so that any no local resolution gets sent to another DNS service (OpenDNS, etc etc).

With slave zones you can convert these to master zones should the NAS have a problem.

So I'm assuming you've set up various records (A and CNAME) on the NAS's DNS Server for all your home devices and the various subdomains of NAS packages. This is what I have done and helps to have www.domain.com going direct at home, where domain.com is my personal domain and is managed via Namecheap for Internet resolution.

In the SRM setup I have this:

SRM's Internet settings have the NAS as DNS primary and Cloudflare as secondary (I found this worked better than using my backup NAS as a second internal DNS server). I probably set the SRM's DNS Server as primary at one time but cannot remember what happened: it probably worked but thought having an off-box server was better in case the local DNS hadn't full launched when SRM needed it during reboot.

SRM's DHCP server is now set with:
  • Primary DNS: SRM's IP
  • Secondary DNS: NAS's IP
  • Forward known DNS server: Disabled (I didn't want local devices to get any external DNS server from the SRM Internet settings)
  • Domain name: domain.com
The last bit is handy when you want to be lazy you can enter just the subdomain in the URL and your device will append .domain.com

To test from a local device... refresh the DCHP configuration and then launch you console terminal of choice (Mac Terminal, WIndows cmd.exe) and run the nslookup command:

nslookup www.domain.com

This will say which DNS server is being used and what IP address it resolves for the request.
 
Thanks for the info!

So I'm assuming you've set up various records (A and CNAME) on the NAS's DNS Server for all your home devices and the various subdomains of NAS packages. This is what I have done and helps to have www.domain.com going direct at home, where domain.com is my personal domain and is managed via Namecheap for Internet resolution.
I just added an A record for 'subdomain.mydomain.com', which points to my DiskStation. At the moment I'm not using the 'top level domain' for anything and just point a different subdomain to my router (vpn.mydomain.com) for Synology. Should I need to add an entry for that in DNS server?

Also, I'd previously setup a reverse proxy in Control Panel > Application Portal for 'subdomain.mydomain.com' to the IP address of the DiskStation. Should I need to do anything with that, or just leave that alone?
 
If you want to use any other subdomains then you need to define these in the DNS server, otherwise you local device will ask the SRM's DNS server to resolve it and it won't have a record so will respond 'no idea' ... and the DNS server is the master resolver (internally) for the domain so it won't ask out on the Internet.

At minimum you need to create records for every subdomain you want to use internally, even it they all point to the NAS. The reverse proxy features of DSM needs to receive the traffic in order for it to do its reverse proxying.

My set up is for DNS records is this:
  1. All physical devices get an A record (defines the IP that I've reserved in DHCP).
  2. Create CNAME records for main devices that might need swapping (mainnas, backupnas, etc) pointing to the relevant A record.
  3. Create CNAME records for services that point to the main device's CNAME record.

This means that I can switch mainnas.domain.com from being the current DS218+ to a different NAS with different IP address without having to reconfigure all the records. e.g. should I need to fallover to the old DS215j as a back for some services or I get a windfall and can get a bigger and better NAS.

You can also configure master/slave reverse zones that will enable DNS to resolve backwards from the IP address to a name.

I find having a local DNS really handy because I don't have to remember IP addresses and I can make some short easy to remember names ... imac, rpi, nas. Externally these would be coming to the router's Internet interface but internally it's an alternative to .local addressing and specifying the local domain name saves time typing.
 
OK, I've added another master zone entry under 'Zones' for the vpn subdomain 👍🏼

Before doing this I was running AdGuard in a Docker container on the NAS, so I'd already set the Primary DNS in SRM to the IP address on my DiskStation (192.168.0.19). Is there any way to get have AdGuard working again, I guess going through DNS Server?
 
Hi,

A question if I may.
On my router I can define a “static DNS”. I find that very useful and much easier than running the DNS package for a few hosts.

On mine for example, I just add
xyz.mydomain.com 192.168.1.170

This will allow the internal clients to access the NAS devices locally using their FQDN. Of course, provided that your DNS server is your router.

Is this option available on the Synology router?
 
So the DNS Server will send any non domain.com resolution requests to these two server (Cloudflare) not to your NAS. You NAS's DNS service can then use Cloudflare as the forwarding resolver.

On my router I can define a “static DNS”. I find that very useful and much easier than running the DNS package for a few hosts.
....
Is this option available on the Synology router?
Not that I'm aware.
 
So the DNS Server will send any non domain.com resolution requests to these two server (Cloudflare) not to your NAS. You NAS's DNS service can then use Cloudflare as the forwarding resolver.
Yes, if I were to change Forwarder 1 to the IP address of the DiskStation for AdGuard, and leave Forwarder 2 blank could that work, or would it create some 'endless loop' or something?
 
Last edited:
That should work, provided you aren't forwarding from one DNS server to the other and then back again.

SRM DNS -1st fwd-> NAS DNS -1st fwd-> 1.1.1.1
SRM DNS -2nd fwd-> 1.1.1.1
NAS DNS -2nd fwd-> 1.0.0.1

Then if the NAS isn't running it will still resolved with 1.1.1.1
Thanks. So this is DNS Server on SRM forwarding to the DiskStation (and hopefully AdGuard)

Screenshot 2019-09-13 at 3.03.44 pm.jpg



And this is DNS Server on DSM

Screenshot 2019-09-13 at 3.04.00 pm.jpg


Does that look correct?
 
Actually, are you running AdGuard as a DNS server on DSM? I'm not familiar with this setup. But you wouldn't run two DNS servers on one box. How does AdGuard forward on the DNS requests?

My setup is to use OpenDNS as the forwarding DNS server on the Internet. I used this for years but mostly Safe Access has taken over now.
 
Actually, are you running AdGuard as a DNS server on DSM? I'm not familiar with this setup. But you wouldn't run two DNS servers on one box. How does AdGuard forward on the DNS requests?
Ah, good point. I've turned off DNS Server on DSM, so now only have it running on SRM, forwarding to DSM to go through AdGuard (hopefully).
 
…so DNS Server has been running fine for the last few days, along with AdGuard.

I find having a local DNS really handy because I don't have to remember IP addresses and I can make some short easy to remember names ... imac, rpi, nas. Externally these would be coming to the router's Internet interface but internally it's an alternative to .local addressing and specifying the local domain name saves time typing.
I'm interested in doing this but haven't been able to find much information on it.

Do I have add to names to the external domain name I setup for the DiskStation (subdomain.mydomain.com), so imac.mydomain.com, macbookpro.mydomain.com etc. or could I use any domain internally, even ones I don't own so can't use externally? (E.g. imac.home.com, macbookpro.home.com etc.)

That might be a stupid question, but not sure what can and can't be done with the local network 😊
 
You don't need to add names to the external domain, unless you want to be able to resolve things on your local domain externally (eg: access a home server from work).

Easiest to run a seperate internal domain, for arguments sake I'll call this domain jonosworld.private. Best to use .local or .private as the suffix. Set this up on the router, you can set DHCP reservations or add static entries, and have everything resolvable internally with the DNS server on the router and forwarding external DNS requests to AdGuard. Make the DHCP reservation give out the internal DNS server address (i.e. the router IP).

eg:
router.jonosworld.private - 192.168.0.1 (DHCP range 192.168.0.200-250)
NAS -192.168.0.10
Static IP or DHCP reservation for imac - 192.168.0.200
DHCP reservation for macbook - 192.168.0.201

...with everything internally using the router DNS server forwarding to the external DNS / Adguard IPs.

It's also good practice to run a secondary DNS server on the NAS as well.

Given you are running Macs I'd suggest to use .private rather than .local, to avoid any potential issues with Bonjour (as it likes to use local). This used to be a problem, I'm not sure if Apple have sorted things out now, I've been using .private for several years / OS versions now.

Hope that the above clarifies things somewhat. feel free to pm if you need any more specific info around setup etc.
 
My usage of an internal DNS was to avoid having multiple browser bookmarks for the same home service, regardless of whether I'm on the Internet or at home. Also the HTTPS certificates don't need extra subject alternate names for other domains etc.

I have a few domains. One is exclusively used on the Internet and is for my email service and languishing web-hosting: it's been my email address domain for decades over various ISP changes.

I use another for accessing services at home (let's say it's myhome.com). On the Internet I have Namecheap set up as the nameservers for my domain and have various A, CNAME, and MX records that really all point to my Internet router's IP (there's also a wildcard record). Since there's a wildcard I don't really need most of the records on the Internet DNS resolution as it al comes here. There Internet router will do port forwarding as needed and then the NAS will do reverse proxy after that.

However, so that I can have all the same bookmarks in browsers and other apps, I have the internal DNS set up with a master zone for this domain and then define the service subdomains (A and CNAME) to resolve to the right local device.

The wildcard DNS resolution on the Internet would send imac.myhome.com to the Internet router but really I don't use this externally. This isn't a problem because the Internet router doesn't have any NAT and port forwarding rules to expose imac to inbound connections. As such imac, protected by its internal firewall, is only accessible to local devices.

Each domain that is defined as a master zone on the internal DNS server must have all the records of that domain. You can create master zones for whatever domains you like and the local devices that use this DNS server will get served the records for these domains (only these records from local DNS and no others). Any other domains for which there is no master zone will then get forwarded for resolution to the specified DNS servers. for forward zones (name to IP) you can have many records across zones resolve to the same IP address.

You can also create master reverse zones where an IP address can be queried and the fully qualified domain name sis returned. For these zones you can only have one record for an IP address so much choose which record to send back.


It's also good practice to run a secondary DNS server on the NAS as well.
I'd agreed with this. I run master zones on DSM's DNS Server and then have SRM's DNS Server with slave zones for the same ones. It's marginally more effort to do this as the slave zones sync their data from the master. Then if the master goes offline or fails you can convert the slave zones to maters. I have DHCP set to access the SRM DNS Server and then DSM's.
 
…one last question @itsjasper @fredbert.

I often VPN back to my home network through my RT2600ac router, and find that using IP addresses seems to work better than hostnames connecting to various apps (usually run via Docker) on my local network.

Should hostnames created with DNS Server work OK with the VPN, or should I stick with using IP addresses for that?
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

I found it by first ps -ef | grep -i dns to find a process with /var/packages/DNSServer/target/named. Then...
Replies
7
Views
2,619
I'm not sure how these permissions can be set on Synology systems, but with Windows AD and DNS admins have...
Replies
1
Views
3,731
My router doesn’t allow Nat loopback and I can’t get the built in dns server to work with my current...
Replies
15
Views
3,817

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top