hosting a domain on a synology nas

[ultimate99]

I got the Web Station and Wordpress apps in stalled on my synology and I can access the wordrpress site using 192.168.x.xxx. But I don't know how to host my domain that I bought onto my synology nas. Any ideas?

[+Fahim S. MVC]

  On 28/03/2016 at 11:32, ultimate99 said:

I got the Web Station and Wordpress apps in stalled on my synology and I can access the wordrpress site using 192.168.x.xxx. But I don't know how to host my domain that I bought onto my synology nas. Any ideas?

Expand  

Does your internet connection have a fixed or dynamic IP?

 

If it is dynamic you need a dynamic DNS service to ensure that your web address is pointing at your connection.

 

Then it is a case of setting up some NAT on your network.

 

I would advise you NOT to do this though.  Typically web facing servers are set up in a DMZ with a firewall between this zone and your LAN.

[+BudMan MVC]

I concur, hosting sites to the public internet is not a really good idea off your home connection.  You can host a wordpress site almost anywhere for FREE even, doing so on your nas off your home connection not a very good idea...

 

You want to expose the box that has ALL your files on it to the public internet??  Does that sound like a good idea to you?  Also more than likely that box is sitting on your normal network not isolated - so if I exploit that box, I would have access to everything on your network just like I was connected to it there.  Does that sound good?

 

If you want to run a wordpress site on your nas for your own local networks consumption sure that sounds fine, and you could setup local dns to resolve its IP to a fqdn you could access.  But I really would think long and hard before exposing that to the public internet.

[Depicus]

  On 28/03/2016 at 12:38, BudMan said:

I concur, hosting sites to the public internet is not a really good idea off your home connection....

Expand  

I'd disagree there, I'm on fibre at home so 16mb up and 18mb down so more than enough speed for my site - it pulls about 1GB of data a day and runs on a QNAP without issue. I'd be more worried about rouge adverts than somebody breaking into my web server.

[+BudMan MVC]

Who said anything about speed being the major concern?  But sure that could be a reason as well, not everyone has fiber at home

 

Is the services your serving to the public isolated from your normal network?  Have you spent the time to harden the service and the OS exposed to the public internet? Are you going to continue up with patches and changes, and updates to the service application when new exploits and security patches come out?  What if someone wants to DDOS your site - do you have any way to mitigate that?  So your connection is up 24/7/365 - so your fiber ISP gave you a sla with that connection?  You have your boxes serving up stuff to public on ups, so when your home has power outage - your still up?

 

There are bujillion reasons not to host services out of your "HOME" not even counting the fact that normally home connections just plain suck for upload speed.  And that many isp have TOS that state not to run services, and many of them block specific ports used for hosting services, etc. etc..

[Depicus]

  On 28/03/2016 at 12:45, BudMan said:

Who said anything about speed being the major concern?  But sure that could be a reason as well, not everyone has fiber at home

Expand  

Well a good firewall like pfSense and a locked down server that is looked after and updated and I cannot see it being any less secure than a drive by rouge advert infection

[ultimate99]

I was referring to a local site, just to try out. But ya, you're right, I wouldn't want my box to be exposed to the public. Buying a cheap host would be enough.

 

But again, if I want to have a local site, can I use my domain?

[+Fahim S. MVC]

  On 28/03/2016 at 12:50, Depicus said:

Well a good firewall like pfSense and a locked down server that is looked after and updated and I cannot see it being any less secure than a drive by rouge advert infection

Expand  

You're a brave man if you would do it with just that.  But it's your risk to take.

 

As far as I understand neither QNAP nor Synology NAS's can VLAN different services to create an isolated segment in your network.  This as well as no actual separation between the OSs for each service.  It screams bad idea - and I am not a security guy.

[+Fahim S. MVC]

  On 28/03/2016 at 12:53, ultimate99 said:

I was referring to a local site, just to try out. But ya, you're right, I wouldn't want my box to be exposed to the public. Buying a cheap host would be enough.

 

But again, if I want to have a local site, can I use my domain?

Expand  

What do you mean a local site? A site that can only be seen on your LAN?

[ultimate99]

  On 28/03/2016 at 12:55, Fahim S. said:

What do you mean a local site? A site that can only be seen on your LAN?

Expand  

yes.

[+Fahim S. MVC]

  On 28/03/2016 at 13:00, ultimate99 said:

yes.

Expand  

OK... so just to make sure I have this right:

 

You have a domain. Is it actually hosted anywhere right now? If so, do you want to be able to see it as well as or see the Synology NAS instead from your LAN?

Your NAS, does it have a fixed IP address on your LAN? What port is the Wordpress site running on?

What router do you have?

[Jason S. Global Moderator]

Fahim - in the most simple terms, the OP simply wants to use the NAS as an internal-only DC. He wants the NAS to be the Domain Controller to which all of the other internal-only devices point.

[+Fahim S. MVC]

  On 28/03/2016 at 13:06, Jason S. said:

Fahim - in the most simple terms, the OP simply wants to use the NAS as an internal-only DC. He wants the NAS to be the Domain Controller to which all of the other internal-only devices point.

Expand  

What does this have to do with domain controllers?

[Depicus]

  On 28/03/2016 at 12:53, Fahim S. said:

You're a brave man if you would do it with just that.  But it's your risk to take.

 

As far as I understand neither QNAP nor Synology NAS's can VLAN different services to create an isolated segment in your network.  This as well as no actual separation between the OSs for each service.  It screams bad idea - and I am not a security guy.

Expand  

If I fire up an Amazon instance I'm using the same levels of security than I can get at home. QNAP has VLAN and Service Binding with two NICS but remember all my data is backed up to Office365 so I'd be more worried about that being compromised than my home system.

 

My servers and firewalls are always up to date and only expose http/s traffic, I log all login attempts and use ssh with certs only so I guess my setup is probably a lot more secure than most servers - I use multiple security tools and logs so I think the risk is low

[Jason S. Global Moderator]

  On 28/03/2016 at 13:08, Fahim S. said:

What does this have to do with domain controllers?

Expand  

OP says - "But I don't know how to host my domain that I bought onto my synology nas"

 

to me, this means using the NAS to "host my domain" which is using the NAS as a domain controller.

[+Fahim S. MVC]

  On 28/03/2016 at 13:09, Jason S. said:

OP says - "But I don't know how to host my domain that I bought onto my synology nas"

 

to me, this means using the NAS to "host my domain" which is using the NAS as a domain controller.

Expand  

Sorry - the expression domain controller is being used here in a way that I don't understand.  The only time I ever hear anyone talking about Domain Controllers are when they are talking about 'enterprise' Windows networks. 

[Jason S. Global Moderator]

  On 28/03/2016 at 13:11, Fahim S. said:

Sorry - the expression domain controller is being used here in a way that I don't understand.  The only time I ever hear anyone talking about Domain Controllers are when they are talking about 'enterprise' Windows networks. 

Expand  

::shrug:: perhaps im reading it wrong. im logging into my NAS now to see if this is viable.

 

OP - can you explain further?

[+Fahim S. MVC]

  On 28/03/2016 at 13:08, Depicus said:

If I fire up an Amazon instance I'm using the same levels of security than I can get at home. QNAP has VLAN and Service Binding with two NICS but remember all my data is backed up to Office365 so I'd be more worried about that being compromised than my home system.

 

My servers and firewalls are always up to date and only expose http/s traffic, I log all login attempts and use ssh with certs only so I guess my setup is probably a lot more secure than most servers - I use multiple security tools and logs so I think the risk is low

Expand  

Really? I'd guess the Amazon EC2 instance has a linux OS that is whole lot more hardened than the OS on the QNAP box.

 

It is pretty easy to deploy services on AWS that are insecure - just because you can, doesn't mean that if you can do a slightly better job at home then you are ok.  I personally wouldn't let web traffic (even https) onto my internal network from externally, but the risk is all yours.

 

I still won't recommend it as being a good idea.  Security is a risk management thing.  I guess it depends where you draw the line but best practices exist for good reason.

[Depicus]

  On 28/03/2016 at 13:14, Fahim S. said:

Really? I'd guess the Amazon EC2 instance has a linux OS that is whole lot more hardened than the OS on the QNAP box.

 

It is pretty easy to deploy services on AWS that are insecure - just because you can, doesn't mean that if you can do a slightly better job at home then you are ok.  I personally wouldn't let web traffic (even https) onto my internal network from externally, but the risk is all yours.

 

I still won't recommend it as being a good idea.  Security is a risk management thing.  I guess it depends where you draw the line but best practices exist for good reason.

Expand  

QNAP allows you to run virtual machines so I run Ubuntu which is exactly as hardened as an Amazon instance.

 

It's a risk getting out of bed and through the front door every day but I think the risk of a server at home is no different to servers running in the cloud or at any client site. 

[+Fahim S. MVC]

  On 28/03/2016 at 13:31, Depicus said:

QNAP allows you to run virtual machines so I run Ubuntu which is exactly as hardened as an Amazon instance.

 

It's a risk getting out of bed and through the front door every day but I think the risk of a server at home is no different to servers running in the cloud or at any client site. 

Expand  

No - Ubuntu is absolutely not the same as a hardened Amazon instance.  Hardening Ubuntu is a massive PITA.

 

It is a risk getting out of bed (before you get to the front door), but running a server at home is nothing like running in a cloud or a proper enterprise/hoster.  I am pretty sure you don't have a SOC/NOC at home.  Cloud Providers and Enterprises pay people lots of money to secure their network (and even they fail to do so, because it is really hard to do so in a comprehensive way)... you really think you can do a better job spinning up a VM on your NAS?  I'm sorry, but no.

[Depicus]

  On 28/03/2016 at 13:35, Fahim S. said:

No - Ubuntu is absolutely not the same as a hardened Amazon instance.  Hardening Ubuntu is a massive PITA.

 

It is a risk getting out of bed (before you get to the front door), but running a server at home is nothing like running in a cloud or a proper enterprise/hoster.  I am pretty sure you don't have a SOC/NOC at home.  Cloud Providers and Enterprises pay people lots of money to secure their network (and even they fail to do so, because it is really hard to do so in a comprehensive way)... you really think you can do a better job spinning up a VM on your NAS?  I'm sorry, but no.

Expand  

Amazon don't harden their Ubuntu instances, and I think we'll agree to disagree on security.

[+BudMan MVC]

So having a domain like something.tld is not the same as Active directory domain controller.  If all your going to do is use it internally on your own network you could resolve say wordpress.ultimate.lan which has nothing to do with dns in the public internet.  The only way to resolve that would be to query your nameservers, be it bind you run or windows dns, or dnsmasq or unbound, etc.  Anything that can that can be a name server.  Even some soho routers provide for resolving your own local domain.

 

Pfsense was mentioned, and sure I use it to resolve hosts on my local.lan domain, so for example pfsense.local.lan, storage.local.lan, observium.local.lan that is one of my raspberry pi's running observium, etc.

 

Sure while pfsense would allow you to create another network segment and you could isolate your nas to its own segment and firewall that between your other local network segments.  If the nas does not have the ability to have vlans, then you would need to isolate the whole box and anything its running to its own firewalled network segment.

 

And again agree with Fahim on this - there is a huge difference between firing up a VM on some host you run in your network and cloud service instances like AWS or GCE or AZURE, or etc..  Or some vps on some hosting service, or even shared webhosting, etc.

 

And while security should be the major concern with providing services into your home network, there are multiple other aspects of hosting services other than just security of it.  You have uptime, you have bandwidth, you have limitations your isp might have placed on that sort of connection.  Example comcast does not allow smtp outbound to anything than their smtp servers.  So even if you wanted to host something where users create accounts, its going to be PITA working out how to even email the user info when they create an account.  While you could work out some things and send that email through your isp smtp, or get some other email service you send to on a different port.

 

Even if your isp allows sending email, can you alter the PTR for your IP, is your IP in a dynamic IP range where it gets blacklisted from sending email to the major players.

 

So while sure you can work out some of these things, and lets say you work in security and know exactly how to harden a OS, etc. etc.  It more than likely is just plain more cost effective to host the services you want to provide to the public out of a placed designed to do that.  A place that will give you an SLA on uptime, not going to loose power because there was a storm in your area for hours or even days.

 

So you have a box, you know how to harden the OS, you know exactly how to do it, you run a firewall and have firewalled network segments where this service will run - and hey like to do it say even for fun/hobby.  And hey you got all this bandwidth your already paying for..  Depending on what hardware your running it on - it might be more cost effective even from just an electricity standpoint to run it elsewhere   I just can not see providing services to the public into your network for something like a website.

 

So I have been doing this for years and years, fairly sure I understand the security aspects of how to harden stuff.  For sure know the networking/firewall stuff to isolate said services from the rest of my network.  The only traffic I allow into my network is ntp queries via being a member of ntp pool, its limited in bandwidth, it talks to an isolated raspberry pi.  The ntp services are current version and locked down to only allow getting the time.  on peering no queries of other info - you can just ask it for time.  If it goes offline, it doesn't hurt anyone nobody is going to say hey budman that site is offline, etc.  I just do it because its fun, and a hobby of mine - and I think is cool to provide stratum 1 to the globe via both ipv4 and ipv6.  And doing so gets me something as well, when the service score drops to lower than 10 for whatever reason I get an email from ntp pool to check my ntp server - so I can tell if my internet is offline, or my ntp server went offline so its kind of like service monitoring for the cost of providing the service..

 

All other remote access is for my personal use only via vpn.  Where sure I can access all kinds of services, and web based stuff - but again its limited to MY access only after I have authed with a cert and username and password.

 

But if you want to run something for your own local network access, I would be more than happy to help you in any way I can - there is no issues with that, but you don't need a public domain or even a dynamic dns domain for that at all.