How to Setup Pi-hole on a Synology NAS

Today we are going to look at how to setup Pi-hole on a Synology NAS.

We will be looking at two different methods that both use Docker to install Pi-hole on a Synology NAS. The first method we are going to look at is “easier” and should be used if you don’t want to SSH into your NAS. This method utilizes the host network interface. The second method requires you to SSH into your Synology NAS to create a macvlan network interface for Docker. To answer the question you’re thinking, they both end up with the same functionality, but the first option will use your NAS’s IP address (and a different web port) while the second option (with the macvlan network interface) will have its own IP address.

Before we get started, it is incredibly important to note that having redundant DNS servers is very important. I highly suggest that you purchase a cheap Raspberry Pi Zero and configure Pi-hole on it so that you have two Pi-hole DNS servers. This will ensure that when your NAS is rebooted, your clients do not lose DNS resolution services.

1. Initial Steps

These steps need to be performed for either install, so we will get these steps out of the way first.

1. Install Docker from Synology’s Package Center.

2. We need to create two folders that we will map our Docker image to. By default, Docker will create a folder named docker after it’s finished installing. Inside of this folder, we are going to create a folder named pihole. Inside of that folder, we are going to create two subfolders. Create one folder named pihole and another folder named dnsmasq.d.

how to setup pi-hole on a synology nas

2. Host Network Interface (Option 1) - Synology NAS Pi-hole Setup

As stated above, this option will use the host network interface. For this reason, you will need to access Pi-hole using your Synology NAS’s IP address and a defined port.

3. Open Docker, navigate to the Registry, and search for Pi-hole. Double click Pi-hole/Pi-hole (official Pi-hole docker image) to download it.

Synology NAS Pi-hole Setup

4. Select Latest. The image will now download.

ph3

5. Double click the Pi-hole image to launch the Docker configuration.

Synology NAS Pi-hole Setup

6. Give your container a name, and then select Advanced Settings. NOTE: If you intend on using Pi-hole for DHCP, you need to check Execute container using high privilege.

Synology NAS Pi-hole Setup

7. We now need to configure the Advanced Settings.

  • Check off Enable auto-restart.

ph6

  • In the Volume section, we need to map the folders we created to the internal Docker Pi-hole locations. Select Add Folder and add the dnsmasq.d folder and type the mount path as /etc/dnsmasq.d. Do the same for the pihole folder with the mount path as /etc/pihole.

ph23

  • Under Network, select Use the same network as Docker Host.

ph8

  • Navigate to the Environment section. We will need to add a few variables.
  • Click the + sign and add these variables:
    • WEBPASSWORD: password that you’d like to access the admin portal with.
    • WEB_PORT: The port you’d like to access the admin portal with. This needs to be something that’s not used. Generally, something in the 8000’s should be fine.
    • DNSMASQ_LISTENING: local
    • ServerIP: This already exists. Change this to the IP address of your NAS.

synology nas pi-hole setup

8. Click Apply to create the Pi-hole docker container.

9. Since you are using your host network interface, you will have to open port 53 and the “WEB_PORT” you selected above (8888 is what I used) on your Synology firewall. This is the default DNS port and the port for the Pi-hole web portal. If you want to know how to configure the firewall, I created a tutorial here.

10. Open the Control Panel and navigate to Firewall. Select Edit Rules.

11. Create a rule with the custom port that you defined above. The protocol can be left as TCP.

synology nas pi-hole setup

12. Create a rule with the DNS port which is 53. Under protocol, select All.

ph21

13. Ensure the rules are above your Deny All rule.

14. You should now be able to access Pi-hole using this web address: http://[NAS IP_ADDRESS]:[WEB_PORT]/admin

Synology NAS Pi-hole Setup

15. The installation process is now complete. Navigate to the DNS Configuration section to complete the configuration process.

3. Macvlan Network Interface (Option 2) - How to Setup Pi-hole on a Synology NAS

As of the writing of this post, I cannot get v5.1.1 (latest version) to work with this method. I have tested various times and can confirm that v5.0 and v5.1 are working properly.

v5.1.2 appears to have resolved the issue that v5.1.1 caused!

As stated above, the benefits of completing the set up this way are that we can give our Pi-hole its own IP address. This requires that we SSH into our Synology NAS.

1. Ensure you can SSH into your Synology NAS. Open Control Panel, select Terminal & SNMP, and Enable SSH service. If you are using Synology’s Firewall, ensure that you allow port 22 traffic. I created a video on how to SSH into your Synology NAS if you have any problems.

ph10

2. SSH into your Synology NAS using your favorite SSH tool. The first thing that we need to do is create a resolv.conf file to allow Docker to get the correct DNS server addresses. This step might not be mandatory for you but I had major problems configuring Pi-hole without this. Run these commands:

cd /[VOLUME_#]/docker/pihole
sudo vi resolv.conf

synology nas pi-hole setup

3. In the file that is created, enter the two lines below and save the file. If you aren’t sure how to use the vi editor, you can learn how to use it here. NOTE: If you have trouble with this, just create a local file named resolv.conf with the two lines below and upload it to your pihole folder in DSM.

nameserver 127.0.0.1
nameserver 8.8.8.8

synology nas pi-hole setup

4. Now that the file is created, we need to create a docker macvlan network interface. First, we need to determine what network interfaces currently exist (on your Synology NAS) and note down the adapter name. To do this, run the command below and note down the network interface name that has your Synology NAS’s IP address (in this example, mine is eth0).

ifconfig

synology nas pi-hole setup

5. Next, you need to run the command below while substituting the correct subnet (most are 192.168.1.0/24 by default). You also need to pick an IP address that you’d like to use that’s not currently in use. I will be using 192.168.1.198. NOTE: ph_network will be the name of the network (you can substitute this as you’d like).

sudo docker network create -d macvlan -o parent=eth0 --subnet=192.168.1.0/24 --gateway=192.168.1.1 --ip-range=192.168.1.198/32 ph_network

ph25

Our network is now created. We can then exit our SSH session and disable it in DSM (if you won’t be using it). If you are disabling it and created a firewall rule for it, you should inactivate the firewall rule as well.

6. Next, we need to create a bridge network. This is what will allow our host (NAS) to communicate with our Pi-hole container. Open Docker and navigate to the Network section. Select Add and enter a subnet that’s not currently in use. The IP address of the bridge I am creating will be 192.168.10.2.

ph15

7. Our new networks are now created. Next, we need to create our Pi-hole container.

8. Open Docker, navigate to the Registry, and search for Pi-hole. Double click Pi-hole/Pi-hole (official Pi-hole docker image) to download it.

pi-hole synology nas

9. Select v5.1. The image will now download.

ph19

10. Give your container a name, and then select Advanced Settings. NOTE: If you intend on using Pi-hole for DHCP, you need to check Execute container using high privilege.

ph16

11. We now need to configure the Advanced Settings.

  • Check off Enable auto-restart.
  • In the Volume section, we need to map the folders we created to the internal Docker Pi-hole locations. Select Add Folder and add the dnsmasq.d folder and type the mount path as /etc/dnsmasq.d. Do the same for the Pi-hole folder with the mount path as /etc/pihole.
  • Unlike the first option, we have to map our resolv.conf file as well. Select File and navigate to the resolv.conf file that we created. Enter the mount path as /etc/resolv.conf.

ph17

  • Under the network section, add the two networks we created (ph_network, ph_bridge) and remove the bridge network.

ph18

  • Click the + sign and add these variables:
    • WEBPASSWORD: the password that you’d like to access the admin portal with.
    • DNSMASQ_LISTENING: local
    • VIRTUAL_HOST: pihole
    • ServerIP: This already exists. Change this to the IP address of the ph_network we created above (192.168.1.198).

ph24

12. Click Apply to create the Pi-hole docker container.

13. You should now be able to access Pi-hole using this web address: http://[IP_ADDRESS]/admin

4. DNS Configuration - How to Setup Pi-hole on a Synology NAS

Now that the setup of Pi-hole is complete, we need to determine a way to point our clients to our DNS server. There are two main ways to do this:

  • Point your router’s DNS server to your Pi-hole server IP address. This will ensure that any device connected will use Pi-hole as its DNS server.
  • Point each client to your DNS server. This is beneficial if you only want certain clients to use Pi-hole as a DNS server.

I point my routers DNS servers to my Pi-hole server as I want to ensure every device connects to it.

ph22 1

5. Conclusion

This tutorial explained how to setup Pi-hole on a Synology NAS. The process isn’t too bad and Pi-hole is awesome! I’ve been using it for a while and while I run into the occasional issue where it blocks something I need, finding it and whitelisting it is a fairly easy process.

Once again, I will point out the importance of redundant Pi-hole servers. There are so many benefits to having a second DNS server, and with Raspberry Pi Zero kits being as cheap as $25, it’s worth it.

Thanks for reading the tutorial. If you have any questions, please leave them in the comments!

This Post Has 102 Comments

  1. Hi. Great guide, thank you 🙂
    I have a question on the last part of the guide, regarding opening the ports in the firewall; method 1, Step 12/13.
    I’m not sure if Source-IP should be left “All”, or what that should be. And I assume the rules should be “Allow”.
    It would be great if you could show a screenshot with the overview of the two rules, just to confirm that I did it correctly.

    1. Since you aren’t opening the port on your router, you can leave it as all. I am super busy so I’m not sure when I will get time for a screenshot, but please feel free to email me at [email protected] with the screenshot of how yours is set up and I’m happy to confirm it’s correct.

  2. Perhaps stupid question, about changing the DNS IP in my router.
    Could my primary DNS be my Pi-Hole, and the secondary by for example Googles DNS server?

    So in case my NAS or Pi-Hole fails, then all devices in the house will use the secondary DNS instead, and we can still surf the web.
    Would that work?

    1. Absolutely! Just know that if any DNS requests go to Google, you will not have ad-blocking.

  3. Hi,

    Thanks for the amazing tutorials. Discovered your channel 2 weeks back and enjoying going back in time to discover what I’ve missed.

    I’ve setup 2 PiHole like you mentioned, one on my Synology, another on one of my server (VM on Ubuntu ). And set them both at router level.

    Is that enough to ensure load balancing and optimal performance? Would you have a tutorial/guide I might have missed that explain how to do that ? For now it seems like all my clients are hitting the first DNS while the second one seems pretty bored with nothing to do 🙂

    Thanks for the help and thanks again for the great work !

    1. Everything you did is perfect! If the main Pi-hole instance is overloaded, requests will automatically be sent to the second Pi-hole instance. You also will have the benefit of redundancy now. Great job!

      1. Apologies for the 2 posts. I didn’t know if my first message went through or not.

        Thanks for the advice. Despite setting my Synology as my first dns the second one (the NUC11) seems to be doing all the work. Do you know what are the mechanics behind that ? That’s definitely out of scope for this tutorial though 🙂

        1. I don’t believe that it matters which one you set (though I could be wrong) as the device will simply go to whichever one it deems available. I think that the terms “primary” and “secondary” are used relatively loosely as I experienced similar behavior.

  4. Hi,

    I’ve absolutely enjoyed your tutorials so far. I’ve discovered your channel 2 weeks ago and been going back in time to look at all the videos one by one, and found some very useful tips in them. Thanks for the time spent in helping us.

    I’ve setup 2 pihole on my local machines : one in a VM inside a small Intel NUC that I have, and one in my Synology NAS in order to have redundancy setup, following this guide. In another video you mention how critical and important it is to have two pihole setup, and you also mention that you naturally got “load balancing” out of this setup.

    Both mine are working (nslookup from my lan to any ip resolves correctly), and both are set on my router (Google wifi) to ensure everyone gets it lan-wide. However, after a day or two, I observe that the load balancing didn’t come to me naturally. One gets more than 95% of the requests, the second one almost none.

    Did you have to go through something specific to load balance ?

    Thanks again for the help.

    1. Just replied to your other comment – sorry, I have to approve the comments due to tons of spam. If you have any other questions, please let me know!

  5. How can I add a private upstream DNS server like unbound? (On Synology)

    1. I haven’t set it up myself so I can’t validate exactly how it will work, but I believe you’ll have to spin up a new container.

  6. Hi, great tutorial!
    Short question/situation:

    I have synology router (192.168.1.1) as DHCP and DNS the same (asks cloudflare 1.1.1.1).
    Domain on the router is home48
    – when I ping from windows1 windows2 it reply with windows2.home48

    I have now set up pihole in docker (method1) and manually set 192.168.1.2 (Synology NAS) as DNS just for windows1.
    All is great, adds are blocked but:

    when I ping windows2 = could not find host windows2
    Basically, no more LAN devices hostname resolution.

    Any clues ?
    Thank you!

    1. Yes, that’s how it’s supposed to work (strangely). On your router, there’s a local DNS section where it knows the device name and it’s used as a DNS lookup. If you’d like this to work in Pi-hole, go under “local DNS records” and create a record for the specific local IP address. It should then work as you’re expecting it to.

      1. So even no Synology DNS server package is installed on the router, the router knows the hostnames. Maybe a way to make Pihole forward local “.home48” requests to the Synology Router? Adding a hostname/reservation on the router and than having to add the same record on the pihole is not the nicest thing 🙂

        Also, since I see a lot of questions about it:
        Synology router (and other routers I believe) has built-in Cloudflare DoH support.
        Maybe a tutorial “add-on” on how to also make DNS queries private too using Pihole?
        Thanks!

        1. I will look into if it can be synced any way, but generally, it’s a pretty easy one-time setup for the local DNS servers. As for Cloudflare DoH, check out Unbound (I have a tutorial for it, though not on a Synology NAS – I will add it to my list). This is most likely what you’re looking for!

          1. Hi, about DoH, I found a simple way to do it (don’t want to mess with macVlan or editing to much stuff not because it is hard, but because Synology updates might break stuff … like it happened with USB support in DSM7 and etc.)

            Basically, you install a simple cloudflared container (https://hub.docker.com/r/visibilityspots/cloudflared), and in PiHole use that container on port #5054 as the only upstream DNS.
            After, 1.1.1.1/help should see connection as DoH.

            But still, your videos are much more nice than written stuff so you could include it like a 2min ‘add-on’.
            PS: and maybe add the setup part for DHCP on pihole too.

          2. Great input, thank you! Will definitely take a look into this!

Comments are closed.

Close Menu