I run local web services on my Synology NAS DS224+ and want to access the services via clean HTTPS URLs like `https://joplin.mydomain..synology.me` instead of http://192.168.1.100:22300.
The Standard Approch is:
- Set up Synology DNS Server for local domain resolution 2. Configure your router (FritzBox) to use the NAS as DNS
- Configure your router (FritzBox) to use the NAS as DNS
- Ensure internet access remains available when the NAS is powered off for maintenance or energy saving
Sounds simple, right? Unfortunately, FritzBox routers have a critical limitation that makes this impossible. (April 2026)
Here is what I tried to build
Client Device
- (DHCP provides DNS: 192.168.254.1)
- FritzBox Router (192.168.254.1)
- (Primary DNS: 192.168.254.254)
- Synology NAS DNS Server (192.168.254.254)
Synology DNS server to resolves local adresses.
Internet domains: Forwards to 8.8.8.8
If NAS is down: (Secondary DNS: 8.8.8.8) Google Public DNS
Internet still works ✓
FritzBox Configuration Attempted
Internet → Zugangsdaten → DNS-Server
- Primary DNS (IPv4): 192.168.254.254 (NAS)
- Alternative DNS: 8.8.4.4 (Google)
Expected behavior
- FritzBox receives DNS queries from clients
- FritzBox forwards queries to NAS DNS server
- If NAS is unavailable, FritzBox uses Google DNS as fallback
- Clients always have DNS resolution
The Discovery: FritzBox Ignores Custom DNS Settings
Diagnostic Commands That Revealed the Truth
Testing DNS resolution from a client through FritzBox
$ nslookup joplin.mydomain.synology.me 192.168.254.1
Server: 192.168.254.1
Address: 192.168.254.1#53
Non-authoritative answer:
Name: joplin.mydomain.synology.me
Address: 2.205.133.110
Problem: Returns Synology’s public IP (2.205.133.110) instead of local IP (`192.168.254.254`).
Testing the NAS DNS server directly
$ dig @192.168.254.254 joplin.mydomain.synology.me
ANSWER SECTION:
joplin.mydomain.synology.me. 86400 IN A 192.168.254.254
Query time: 0 msec
SERVER: 192.168.254.254#53(192.168.254.254)
Success! The NAS DNS correctly returns the local IP.
The Issue: DNS Query Trace
Using `dig +trace` to see exactly how FritzBox resolves queries:
$ dig @192.168.254.1 joplin.mydomain..synology.me +trace +short
NS m.root-servers.net. from server 192.168.254.1 in 12 ms.
NS d.root-servers.net. from server 192.168.254.1 in 12 ms.
[… more root servers …]
Critical finding: FritzBox bypasses the configured NAS DNS entirely and queries internet root servers directly, eventually reaching Synology’s authoritative DNS server (`64.124.13.223`) which returns the public IP.
Why FritzBox DNS Settings Don’t Work
The Fundamental Misunderstanding
The „Internet → Zugangsdaten → DNS-Server“ setting controls what DNS servers FritzBox itself uses for its own internet connection**, NOT what it uses for client queries or DNS forwarding.
FritzBox’s Built-in DNS Resolver Behavior
1. Embedded DNS caching resolver: FritzBox runs its own DNS resolver
2. Ignores configured upstream DNS: The resolver queries public DNS directly
3. No conditional forwarding:Cannot forward specific domains to local DNS servers
4. DHCP limitation: Can only distribute ONE DNS server to clients via DHCP
What About DNS Rebind Protection?
We added `mydomain.synology.me` to FritzBox’s DNS Rebind Protection exceptions list:
FritzBox → Heimnetz → Netzwerk → Netzwerkeinstellungen → DNS-Rebind-Schutz
This didn’t help because the FritzBox never queries the NAS DNS in the first place – the rebind protection would only matter if it did.
The Working Solution (With Trade-offs)
Since FritzBox cannot act as a DNS proxy with failover, you must choose:
Solution A: Direct NAS DNS (What’s Implemented)
FritzBox → Heimnetz → Netzwerk → Netzwerkeinstellungen
– Set „Lokaler DNS-Server“: `192.168.254.254` (NAS IP)
DHCP distributes to clients
– Primary DNS: `192.168.254.254` (NAS)
– No secondary DNS option available
Results
– Local domains resolve correctly
– Internet works (NAS forwards to 8.8.8.8)
– Clean HTTPS URLs work
– When NAS is down: Total DNS failure, no internet
Verification
$ nslookup joplin.mydomain.synology.me
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: joplin.mydomain.synology.me
Address: 192.168.254.254
Success! Now resolves to local IP.
Solution B: Manual Client Configuration
For critical devices (work computers, servers), manually configure network settings with multiple DNS servers:
Network Settings → DNS:
– Primary DNS: `192.168.254.254` (NAS)
– Secondary DNS: `8.8.8.8` (fallback when NAS is down)
This provides resilience but requires manual configuration per device.
Synology DNS Server Configuration Details
For completeness, here’s the NAS DNS setup that works:
DNS Server → Resolution Tab
1. Enable resolution service (checked)
2. Source IP: „Allow from all“ (no restrictions)
3. Forwarder:
- Primary: 8.8.8.8
- Secondary: 1.1.1.1
DNS Server → Zones Tab
1. Create Master Zone “mydomain.synology.me”
2. Add A Records for each service:
- joplin.mydomain.synology.me → `192.168.254.254
- paperless.mydomain.synology.me → `192.168.254.254
- partdb.mydomain.synology.me → `192.168.254.254
The Ugly Truth: FritzBox DHCP Doesn’t Support Dual DNS
Even though FritzBox configuration shows fields for „Primary“ and „Alternative“ DNS under internet settings, there is no option to distribute multiple DNS servers to DHCP clients in most FritzBox models.
The DHCP server sends only one DNS server address to clients, making redundant DNS resolution impossible at the router level.
Workarounds for True Redundancy
Option 1: Accept Downtime During Maintenance
Keep NAS as primary DNS and schedule NAS maintenance during off-hours. For extended downtime, temporarily change FritzBox DHCP to distribute `8.8.8.8`, then switch back.
Option 2: Secondary DNS Server
Deploy a second DNS server (Raspberry Pi, Docker container, or cloud service) with identical zone configuration. Update FritzBox DHCP to point to the secondary when needed.
Option 3: Static IP Configuration
Configure critical devices with static DNS settings that include both NAS and public DNS, bypassing DHCP limitations entirely.
Key Diagnostic Commands Reference
To remeber myself whe troubleshooting similar DNS issues:
Test DNS resolution through specific server
nslookup domain.name SERVER_IP
Detailed DNS query with trace
dig @SERVER_IP domain.name +trace
Check current DNS configuration
resolvectl status
Test DNS with REFUSED errors (use dig instead of nslookup)
dig @192.168.254.254 domain.name
Verify DHCP-provided DNS
cat /etc/resolv.conf
Conclusion: Know Your Router’s Limitations
Consumer routers like FritzBox are designed for simple home networks, not complex DNS architectures. The „Primary/Secondary DNS“ settings in FritzBox configuration are misleading – they control FritzBox’s own DNS usage, not what clients receive via DHCP.
For resilient local DNS with NAS services
- Either accept NAS downtime = DNS downtime
- Or manually configure dual DNS on critical devices
- Or invest in prosumer/business routers with true conditional DNS forwarding (UniFi, pfSense, OPNsense)
What worked
- Synology DNS Server handles local domain resolution perfectly
- Direct client → NAS DNS configuration works reliably
- DNS rebind exceptions are configured but ultimately unnecessary
What didn’t work
- FritzBox as DNS proxy with NAS as upstream
- Automatic DHCP-based DNS redundancy with FritzBox
- The „Primary/Alternative DNS“ settings under Internet configuration
Technical Specifications
Environment
- FritzBox Router 8.21 (Heimnetz configuration)
- Synology NAS DSM 7.3.2
- DNS Server Package
- Network: 192.168.254.0/24
- QuickConnect domain: mydomain.synology.me