Yeap.
IF I HAVE TO HAVE a TXT rec. in public DNS for my internal names, then it doesn't work. Hence the original question.
1 Like
The TXT record is temporary and can be deleted immediately afterwards.
But the issuance of a cert is public information.
All SAN entries will be made public as soon as that cert is created.
The Synology is not a security device.
Clicking on the menus there won't create a secure configuration (as you envision).
1 Like
DOH!
kinda, sorta, just maybe, mighta forgot that small detail. Hmm!
Back to the drawing board temporarily. Cheers.
2 Likes
If you need the names to remain private, you must never publish them.
The only way to do that is by using a wilcard cert.
The only way to get one is with DNS authentication.
If you want the endpoints to truly secure themselves, they will all need to generate their own wildcard certs.
Which means they will have to run an ACME client and they will need access (even if indirectly) to the API endpoint provided by your DSP.
And needless-to-say, you will have to run your own private DNS to resolve those names.
If you use the global DNS, then the names will be seen by the world.
[if you use anything that check sites in your browser - then the names will be known to the service provider - i.e. the Internet]
For your scenario, I would NOT recommend turning on RP on the Synology.
If you do, you should do it by hand [not by menu clicking choices].
2 Likes
yeah, yeah. As I said, if I have to have public rec.s, it doesn't work.
yeap. got that also.
All good. real Homer moment re publication of cert. host names.
Thanks for the sounding board.
2 Likes
And in case the point was overlooked.
Devices that use multiple NICs (some of which are considered private) should always be of the firewall type - not a NAS type.
2 Likes
Behind external FW and otherwise locked down as tight as it can be.
1 Like
But the design calls for the Internet to reach the Synology which would have RP turned on and would have access to the secure zone.
Not a very locked down design.
Clicking "next", "next", "next" on those menu choices will NOT provide you with a truly secure configuration.
Maybe it's just me - but that wouldn't let me sleep well at night.
1 Like
If the host name is public, it doesn't work.
If the host name is not public and internal DNS only points to internal IP, the Synology is not going to respond to it from externally, because it's external DNS-ing doesn't know it.
Not sure which "next, "next" menus you're talking about there.
For them to traverse public to private, they would need to be logged into device using either NAS UI or ssh - in which case I have bigger issues.
Risk, I'm willing to accept.
1 Like
Even if the host name isn't public, the fact that the NAS has access to it (via RP) means:
If you can use the NAS to reach the "secure" device, then anyone that can reach the NAS can reach the secure device.
The only thing keeping you secure is the security through obscurity - that they don't know the exact name.
Given: You are not a BANK or institution, so the amount of effort will be reduced accordingly.
But anyone willing to check all possible names against your NAS would eventually reach the correct name and reach the secure device - they were never supposed to see.
Not to mention if the NAS ever has an exploit or built-in backdoor is found.
That is not how you described using the NAS (via RP).
If you can use the NAS as a RP from one zone to another, then anyone else can too.
More than likely, the "secure" names would only contains letters (no numbers, no special characters allowed) and would be 8 or less in length.
How long do you think it would take to try all those possibilities?
Anyone can create a DNS zone in their internal DNS system to override your lack of IP.
*.your.domain CNAME your.domain
That would resolve all those unresolvable names and reach your NAS.
1 Like
I don't want it to sound like what you want is impossible.
It is totally possible.
It can be done better with a real firewall (than a two-legged NAS).
It can also be done with a hardened RP, not a default one provided by an all-purpose NAS.
1 Like
2 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.