DNS – Bind9 – split DNS internal/external


Bind9 allows users the possibility of using one DNS for internal and external queries. Reducing the need to run two separate instances of Bind9.

Actions taken

Synology now publishes a DNS package running Bind9. I am currently running this for an internal DNS to speed up my local internal network. I however wished to try and expose an external DNS to gain greater control of my domain name.

I tried this by configuring the DNS using the synology DNS interface.
I however found I need to have

  • Recursion on for internal caching DNS.
  • Recursion off for external authoritative DNS.

This functionality however didn’t seem easily possible through the gui. Also effectively you are running an external facing piece of software very near your internal infrastructure there is a great risk of cross contamination either by user error, or software vunerablity.


As I said before. Why bother running your own external DNS. Your registrar does a better job.

DNS – external

Experimented with an external DNS as a possible way of gaining greater control.

Actions taken

DNS protocol runs on port 53. My internet supplier doesn’t block this. Some do. So I decided to run my own external DNS

DNSs come in two flavours.

  1. authoritative
  2. caching/recursive

It is important to know the difference as exposing a recursive DNS to the internet leaves you open to a lot more possible hacks including cache poisoning.
I believe a lot of these are more hypothetical, and certainly not worth trying on my site as I am only a small site with no real monetary value.
So for external facing DNS turn of recursion and make an authoritative DNS.

As I have a dynamic ip address I need to some hackery to ensure that my dos is authoritative and referenced by other DNSs.
I followed the example here:
This works quite nicely.


The bugger is in the details here. Each DNS record takes time to propagate, but more importantly each record has a serial number, by convention a date and 2 digit extension. This number however must always be incremeted for each record change or the change will not propagate.

Running your own DNS unless you have two external ips also means you now have a single point of failure. Also you are running a critical piece of architecture on one box, which might get accidentally switched off or fail. It is better to put the DNS records up at the registrar and let them worry about resilience.


Why bother! Running own DNS is single point of failure, exposing a possible backing point.

DNS – using internal DNS to block advertisements.

In order to improve my connectivity, use an internal DNS.

Actions taken

It was apparent that every time an advert appeared on youtube, my daughter, 2 year old, cried.
My initial though was put ad-blocking software on the iPad, but decided to go for a more holistic approach and block the advertisements at the DNS level.

My initial thoughts was to use my old DS101j as a DNS server for the house. This is a very old piece of kit dating back to 2003, but probably ok for the light load in my house. The only package that can be installed on it was dnsmasq via optwore.

After playing around with dnsmasq I discovered it is really great as a caching DNS, but pretty useless as a fully functional one. I wanted a DNS to do recursive queries and resolve internal and external addresses.
My next step was to investigate the DNS package that could be installed on the DS213j. Synology however neglect to be specific about the contents. After ssh-ing to the box and digging around I fount that the process is a renamed bind9. Bind9 being the industry standard for DNSs.

It was then simply a matter of following the tweets as listed here:

I did look if there was a bind10 and found this humorous piece which is quite telling of the software industry as a whole.

There really is only one industry standard generic DNS product, bind9.

Sleep! Everything needs sleep even your NAS


I obtained several Raspberry pi 2’s and noticed that the main NAS a DS213j and the secondary NAS DS101j (only used for backups) were not going to sleep.

Actions taken

  1. Secondary NAS issue

    After a lot of investigation. I concluded that the primary MAS was waking up the secondary NAS. As I am really using the secondary NAS to prevent the use of Wannacry and alike I decided to disable Samba on it. Thus the only way to access it now is via ssh or rsync (which is used for the backups)

  2. Primary NAS issue

    This was not sleep due to
    a) A raspberry pi running plex repeatedly interrogating my music library.
    b) Installed software did not allow the disks to go to sleep. Re Surveillance station which I removed as was not now necessary.


I can now see in the primary NAS logs the disks are periodically being woken from sleep.
And the secondary NAS which is quite noisy now remains silent all the time except at 3am in the morning when the backups occur.

Wannacry/WannaCrypt – Always backup!


I run a Synology DS213j which I use primarily as the house NAS.
After wannacry broke the NHS it reminded me of the importance of backups.
With regular backups ransomware like this is ultimately useless, other than a troublesome admin task to remove.

Actions taken

  1. Backup important directories hourly to a different directory on the NAS – primarily as a way of obtaining any documents I mistakenly change. I don’t want to be bothered using a versioning system.
  2. Ensure my mac is now running Time Machine which automatically backs to the NAS.
  3. Ensure the NAS itself is backed up by:
    a) Doing a rsync backup nightly to an even older ds101j nightly of main documents and photos.
    b) Doing a backup to an external usb disk that I can remove and cycle to ensure backups away from NAS with an air gap.
    c) Try periodically a test of the backups.
  4. Install antivirus on the NAS