Synology complete DNS solution

I have set up a raspberry pi running pihole and unbound (as upstream DNS - see very well for the past couple of months. I also use unifi and was able to force all DNS requests through the pihole which prevents any ads leaking on devices which try to use other DNS servers. This is all brilliant and I am very happy.

A couple of weeks ago my pihole ran into a major issue (since resolved). Unfortunately due to my very strict setup and not allowing any other DNS on my network, this effectively knocked out my internet (oops).

In order to prevent further sudden issues I was hoping to use a second similar setup on another device. I have a synology NAS running in my home and see that people have had some good results running pihole on this.

I wonder, therefore, is it possible to set up pi-hole on synology and have synology DNS act as the upstream DNS once requests have been filtered by the pihole? (similar to my current pi-hole/unbound setup on the pi). On the pi this relies on using the default port on pihole and forwarding upstream DNS requests to a second non-standard port for unbound on the same machine.

The issue I can see presently is that there seems to be no way to change the port of the synology DNS server so both pihole and synDNS would be fighting over the standard port.

Anyone got any ideas?

I suppose I could always just install unbound on the synology aswell, but it might be nice to have a completely different DNS package as this would give an extra level of protection against any software flaws in unbound (maybe there would also be a performance benefit).

If you can’t change the port of the Synology DNS or the host it binds on (to instead of optimally), then you can’t use that as the upstream for Pi-hole since clients would directly query that service instead of Pi-hole.

I have just found that I can limit the clients which can query it.
If I limited requests to would that work? Or will that just blackhole all DNS requests rather than using pihole at all?

It will still be listening on port 53, so it will simply prevent all other clients from making DNS queries.

Perhaps it is easier just to buy a pizeroW as a failover.