In this tutorial, we are going to look at how to setup Pi-hole on a Synology NAS.
We will be looking at two different methods on how to setup Pi-hole on a Synology NAS. The first method we are going to look at is “easier” and should be used if you don’t want to SSH into your NAS. This method utilizes the host network interface. The second method requires you to SSH into your Synology NAS to create a macvlan network interface for Docker.
To answer the question you’re thinking, they both end up with the same functionality, but the first option will use your NAS’s IP address (and a different web port) while the second option (with the macvlan network interface) will have its own IP address.
Before we get started on how to setup Pi-hole on a Synology NAS, it is incredibly important to note that having redundant DNS servers is very important. I highly suggest that you purchase a cheap Raspberry Pi Zero and configure Pi-hole on it so that you have two Pi-hole DNS servers. This will ensure that when your NAS is rebooted, your clients do not lose DNS resolution services.
1. How to Setup Pi-hole on a Synology NAS
The steps below on how to setup Pi-hole on a Synology NAS need to be performed for either install, so we will get these steps out of the way first.
1. Install Docker from Synology’s Package Center.
2. We need to create two folders that we will map our Docker image to. By default, Docker will create a folder named docker after it’s finished installing. Inside of this folder, we are going to create a folder named pihole.
Inside of that folder, we are going to create two subfolders. Create one folder named pihole and another folder named dnsmasq.d.
1.1 Host Network Interface (Option 1) – How to Setup Pi-hole on a Synology NAS
As stated above, this option will use the host network interface. For this reason, you will need to access Pi-hole using your Synology NAS’s IP address and a defined port.
3. Open Docker, navigate to the Registry and search for Pi-hole. Double-click Pi-hole/Pi-hole (official Pi-hole docker image) to download it.
4. Select Latest. The image will now download.
5. Double-click the Pi-hole image to launch the Docker configuration.
6. Select Use the same network as Docker Host, then select Next.
7. Give your container a name, enable auto-restart, and then select Advanced Settings.
NOTE: If you intend on using Pi-hole for DHCP (most people won’t), you need to check Execute container using high privilege.
8. We now need to configure the Advanced Settings. Navigate to the Environment section. We will need to add a few variables. Select Add and add the variables below. When completed, you can Save and then select Next to proceed.
- WEBPASSWORD: password that you’d like to access the admin portal with.
- WEB_PORT: The port you’d like to access the admin portal with. This needs to be something that’s not used. Generally, something in the 8000’s should be fine.
- DNSMASQ_LISTENING: local
- ServerIP: Change this to the IP address of your NAS.
9. In the Volume section, we need to map the folders we created to the internal Docker Pi-hole locations. Select Add Folder and add the dnsmasq.d folder and type the mount path as /etc/dnsmasq.d. Do the same for the pihole folder with the mount path as /etc/pihole. Select Next.
10. Click Done to create the Pi-hole docker container!
11. Since you are using your host network interface, you will have to open port 53 and the “WEB_PORT” you selected above (8888 is what I used) on your Synology firewall. This is the default DNS port and the port for the Pi-hole web portal. If you want to know how to configure the firewall, I created a tutorial here that you can follow.
12. Open the Control Panel and navigate to Firewall. Select Edit Rules.
13. Create a rule with the custom port that you defined above. The protocol can be left as TCP.
14. Create a rule with the DNS port 53. Under protocol, select All.
15. Ensure the rules are above your Deny All rule.
16. You should now be able to access Pi-hole using this web address:
http://[NAS IP_ADDRESS]:[WEB_PORT]/admin
15. The installation process is now complete. Navigate to the DNS Configuration section to complete the configuration process.
1.2 Macvlan Network Interface (Option 2) – How to Setup Pi-hole on a Synology NAS
The process above looked at how to setup Pi-hole on a Synology NAS using the host network interface. As stated above, the benefits of completing the setup using a macvlan network interface is that we can give our Pi-hole container its own IP address. This requires that we SSH into our Synology NAS.
1. Ensure you can SSH into your Synology NAS. Open Control Panel, select Terminal & SNMP, and Enable SSH service. If you are using Synology’s Firewall, ensure that you allow port 22 traffic.
I created a video on how to SSH into your Synology NAS if you have any problems.
2. SSH into your Synology NAS using your favorite SSH tool. The first thing that we need to do is create a resolv.conf file to allow Docker to get the correct DNS server addresses. This step might not be mandatory for you but I had major problems configuring Pi-hole without this. Run these commands:
cd /[VOLUME_#]/docker/pihole sudo vi resolv.conf
3. In the file that is created, enter the two lines below and save the file. If you aren’t sure how to use the vi editor, you can learn how to use it here.
NOTE: If you have trouble with this, just create a local file named resolv.conf with the two lines below and upload it to your pihole folder in DSM.
nameserver 127.0.0.1 nameserver 8.8.8.8
4. Now that the file is created, we need to create a docker macvlan network interface. First, we need to determine what network interfaces currently exist (on your Synology NAS) and note down the adapter name. To do this, run the command below and note down the network interface name that has your Synology NAS’s IP address (in this example, mine is eth0).
ifconfig
5. Next, you need to run the command below while substituting the correct subnet (most are 192.168.1.0/24 by default). You also need to pick an IP address that you’d like to use that’s not currently in use. I will be using 192.168.1.198.
NOTE: ph_network will be the name of the network (you can substitute this as you’d like).
sudo docker network create -d macvlan -o parent=eth0 --subnet=192.168.1.0/24 --gateway=192.168.1.1 --ip-range=192.168.1.198/32 ph_network
Our network is now created. We can then exit our SSH session and disable it in DSM (if you won’t be using it). If you are disabling it and created a firewall rule for it, you should inactivate the firewall rule as well.
6. Next, we need to create a bridge network. This is what will allow our host (NAS) to communicate with our Pi-hole container. Open Docker and navigate to the Network section. Select Add and enter a subnet that’s not currently in use. The IP address of the bridge I am creating will be 192.168.10.2.
7. Our new networks are now created. Next, we need to create our Pi-hole container.
8. Open Docker, navigate to the Registry, and search for Pi-hole. Double-click Pi-hole/Pi-hole (official Pi-hole docker image) to download it.
9. Select latest. The image will now download. When it’s finished downloading, double-click it (from the Image directory) to create a new container.
10. Select the ph_network and ph_bridge networks, then select Next.
10. Give your container a name, enable auto-restart, then select Advanced Settings.
NOTE: If you intend on using Pi-hole for DHCP, you need to check Execute container using high privilege.
11. We now need to configure the Advanced Settings. Navigate to the Environment section. We will need to add a few variables. Select Add to add the variables below. When completed, you can Save and then select Next to proceed.
- WEBPASSWORD: the password that you’d like to access the admin portal with.
- DNSMASQ_LISTENING: local
- VIRTUAL_HOST: pihole
- ServerIP: Change this to the IP address of the ph_network we created above (192.168.1.198).
12. You can leave the ports as auto (since we’re using the macvlan network interface), then select Next.
13. In the Volume section, we need to map the folders we created to the internal Docker Pi-hole locations. Select Add Folder and add the dnsmasq.d folder and type the mount path as /etc/dnsmasq.d. Do the same for the pihole folder with the mount path as /etc/pihole.
Unlike the first option, we have to map our resolv.conf file as well. Select File and navigate to the resolv.conf file that we created. Enter the mount path as /etc/resolv.conf. Select Next.
14. Click Done to create the Pi-hole docker container!
15. You should now be able to access Pi-hole using this web address:
http://[ph_network_IP_ADDRESS]/admin
1.3 DNS Configuration – How to Setup Pi-hole on a Synology NAS
Now thatwe looked at how to setup Pi-hole on a Synology NAS and that section is complete, we need to determine a way to point our clients to our DNS server. There are two main ways to do this:
- Point your router’s DNS server to your Pi-hole server IP address. This will ensure that any device connected will use Pi-hole as its DNS server.
- Point each client to your DNS server. This is beneficial if you only want certain clients to use Pi-hole as a DNS server.
I point my routers DNS servers to my Pi-hole server as I want to ensure every device connects to it.
2. Conclusion – How to Setup Pi-hole on a Synology NAS
This tutorial explained how to setup Pi-hole on a Synology NAS. The process on how to setup Pi-hole on a Synology NAS isn’t too bad and Pi-hole is awesome! I’ve been using it for a while and while I run into the occasional issue where it blocks something I need, finding it and whitelisting it is a fairly easy process.
Once again, I will point out the importance of redundant Pi-hole servers. There are so many benefits to having a second DNS server, and with Raspberry Pi Zero kits being as cheap as $25, it’s worth it.
Thanks for checking out the tutorial on how to setup Pi-hole on a Synology NAS. If you have any questions on how to setup Pi-hole on a Synology NAS, please leave them in the comments!
Hi. Great guide, thank you 🙂
I have a question on the last part of the guide, regarding opening the ports in the firewall; method 1, Step 12/13.
I’m not sure if Source-IP should be left “All”, or what that should be. And I assume the rules should be “Allow”.
It would be great if you could show a screenshot with the overview of the two rules, just to confirm that I did it correctly.
Since you aren’t opening the port on your router, you can leave it as all. I am super busy so I’m not sure when I will get time for a screenshot, but please feel free to email me at [email protected] with the screenshot of how yours is set up and I’m happy to confirm it’s correct.
Perhaps stupid question, about changing the DNS IP in my router.
Could my primary DNS be my Pi-Hole, and the secondary by for example Googles DNS server?
So in case my NAS or Pi-Hole fails, then all devices in the house will use the secondary DNS instead, and we can still surf the web.
Would that work?
Absolutely! Just know that if any DNS requests go to Google, you will not have ad-blocking.
Hi,
Thanks for the amazing tutorials. Discovered your channel 2 weeks back and enjoying going back in time to discover what I’ve missed.
I’ve setup 2 PiHole like you mentioned, one on my Synology, another on one of my server (VM on Ubuntu ). And set them both at router level.
Is that enough to ensure load balancing and optimal performance? Would you have a tutorial/guide I might have missed that explain how to do that ? For now it seems like all my clients are hitting the first DNS while the second one seems pretty bored with nothing to do 🙂
Thanks for the help and thanks again for the great work !
Everything you did is perfect! If the main Pi-hole instance is overloaded, requests will automatically be sent to the second Pi-hole instance. You also will have the benefit of redundancy now. Great job!
Apologies for the 2 posts. I didn’t know if my first message went through or not.
Thanks for the advice. Despite setting my Synology as my first dns the second one (the NUC11) seems to be doing all the work. Do you know what are the mechanics behind that ? That’s definitely out of scope for this tutorial though 🙂
I don’t believe that it matters which one you set (though I could be wrong) as the device will simply go to whichever one it deems available. I think that the terms “primary” and “secondary” are used relatively loosely as I experienced similar behavior.
Hi,
I’ve absolutely enjoyed your tutorials so far. I’ve discovered your channel 2 weeks ago and been going back in time to look at all the videos one by one, and found some very useful tips in them. Thanks for the time spent in helping us.
I’ve setup 2 pihole on my local machines : one in a VM inside a small Intel NUC that I have, and one in my Synology NAS in order to have redundancy setup, following this guide. In another video you mention how critical and important it is to have two pihole setup, and you also mention that you naturally got “load balancing” out of this setup.
Both mine are working (nslookup from my lan to any ip resolves correctly), and both are set on my router (Google wifi) to ensure everyone gets it lan-wide. However, after a day or two, I observe that the load balancing didn’t come to me naturally. One gets more than 95% of the requests, the second one almost none.
Did you have to go through something specific to load balance ?
Thanks again for the help.
Just replied to your other comment – sorry, I have to approve the comments due to tons of spam. If you have any other questions, please let me know!
How can I add a private upstream DNS server like unbound? (On Synology)
I haven’t set it up myself so I can’t validate exactly how it will work, but I believe you’ll have to spin up a new container.
Hi, great tutorial!
Short question/situation:
I have synology router (192.168.1.1) as DHCP and DNS the same (asks cloudflare 1.1.1.1).
Domain on the router is home48
– when I ping from windows1 windows2 it reply with windows2.home48
I have now set up pihole in docker (method1) and manually set 192.168.1.2 (Synology NAS) as DNS just for windows1.
All is great, adds are blocked but:
when I ping windows2 = could not find host windows2
Basically, no more LAN devices hostname resolution.
Any clues ?
Thank you!
Yes, that’s how it’s supposed to work (strangely). On your router, there’s a local DNS section where it knows the device name and it’s used as a DNS lookup. If you’d like this to work in Pi-hole, go under “local DNS records” and create a record for the specific local IP address. It should then work as you’re expecting it to.
So even no Synology DNS server package is installed on the router, the router knows the hostnames. Maybe a way to make Pihole forward local “.home48” requests to the Synology Router? Adding a hostname/reservation on the router and than having to add the same record on the pihole is not the nicest thing 🙂
Also, since I see a lot of questions about it:
Synology router (and other routers I believe) has built-in Cloudflare DoH support.
Maybe a tutorial “add-on” on how to also make DNS queries private too using Pihole?
Thanks!
I will look into if it can be synced any way, but generally, it’s a pretty easy one-time setup for the local DNS servers. As for Cloudflare DoH, check out Unbound (I have a tutorial for it, though not on a Synology NAS – I will add it to my list). This is most likely what you’re looking for!
Hi, about DoH, I found a simple way to do it (don’t want to mess with macVlan or editing to much stuff not because it is hard, but because Synology updates might break stuff … like it happened with USB support in DSM7 and etc.)
Basically, you install a simple cloudflared container (https://hub.docker.com/r/visibilityspots/cloudflared), and in PiHole use that container on port #5054 as the only upstream DNS.
After, 1.1.1.1/help should see connection as DoH.
But still, your videos are much more nice than written stuff so you could include it like a 2min ‘add-on’.
PS: and maybe add the setup part for DHCP on pihole too.
Great input, thank you! Will definitely take a look into this!