Synology pi-hole setup help

Help Synology
1

I'm running pihole in docker on my DS718+. pihole admin console is showing hits to DNS but shows 0% of ads blocked. The pihole is set up with the network ip address of my nas but on a different port (had to change as port number was conflicted with unifi controller). Just set up the unifi yesterday; these are my first ever and there is a steep learning curve.

I have DNS settings under the SRM on the router (Network Center < Local Network, and at Network Center < Internet). I've added screenshots for both. I also have DNS settings in the DSM for the NAS (which points to 192.168.1.1 -- my router). I'm really not sure what to put for any of them at this point. On the pihole console, I'm using cloudflare as my upstream DNS and have ticked the default "listen only on interface eth0).

Can you set me on the right path here?

router%20dns%20internet
router%20dns%20internet1156×711 96.7 KB
router%20dns%20local%20network
router%20dns%20local%20network1175×742 84.5 KB

rt2600ac
DS718+

2

Added my debug log from console.

https://tricorder.pi-hole.net/wok9kni3um

3

Anyone?

4

Your setup -as you described it- seems both incomplete and already quite complex, comprising several special use devices and running a dockered Pi-hole. That makes it difficult to understand where your problem lies. :thinking:

At the moment, it seems your problem is not specifically tied to Pi-hole, but rather to your network setup.
While this forum is good at solving Pi-hole problems, there are probably better places to get support on network configurations for specific devices like Synology routers or NAS systems and Unifi controllers.

So my advice will be limited to pointing out a few general issues where I think -based on what info you provided only- your understanding is lacking (if just by a tiny bit :wink: - apologies if you already knew the lot):

Make sure you have exactly one DHCP server on your local network

You neeed to identify and/or decide which machine (and software) is acting as DHCP server in your network. It seems you have at least three candidates in your network for this role:
Your RT2600ac router, your DS718+ NAS, and Pi-hole.
You did not specify whether your Unifi controller is just software or another piece of hardware, and you did not mention a modem (RT2600ac lacks DSL and broadband) - you should consider those also if you have them.
Only one of them should be your DHCP server - make sure DHCP is disabled on all other devices.

Understand the difference between upstream (or WAN) and local (or LAN) DNS servers

Your local DNS server will be used by your local network clients for host name resolution. Normally, it will be announced to a client by your DHCP server, but can be set manully on each client device. Only a local DNS server can know about the host names of devices in your local network.
Your upstream DNS server is a DNS server that is used by your local DNS server (e.g. a router or Pi-hole) for resolving public host names on the internet. Your ISP will routinely announce its own DNS servers to be used by your modem or router. Most devices will allow manual configuration of upstream DNS servers,

Understand the (non)-significance of defining multiple DNS servers

Most DNS configuration UIs will allow you to state several DNS server addresses, usually a primary and one or more alternative ones.
It's important to note that employment of a certain DNS server for any given DNS query is totally at the device's discretion.
If you want to enforce the use of a specific DNS server (like Pi-hole), it must be the only DNS server on the list.

Don't change the ports Pi-hole uses

Clients within your network will use the standard DNS port (53) to contact a DNS server by default.
If you do change ports, be sure you know why you are doing this, and how to ensure that your network configuration will actually re-route DNS queries to the correct port.

Understand how Docker isolates networks

Make yourself familiar with Docker's networking options. Depending on how you configure Docker, you might push Pi-hole into a network that is not readily accessible by your local clients. This is especially true if you decide to make Pi-hole your DHCP server. In that case, be sure to read Docker DHCP and Network Modes
__

(Dont' forget to click for details above)

I am not familar with neither your hardware nor the software it runs, so you have to resort to more knowledgable sources on how to convert my hints into actions specific for your devices. Probably try Synology's forums or manuals for a start.

Once you've sorted out your network setup, you are very welcome to return here, should you encounter problems getting Pi-hole up and running :slight_smile:

1 Like
5

Great post. Helpful info. Thank you.

Nah!! Lol. Yes.

that is probably true. But I think I've mostly figured out my network now. I now understand that my upstream DNS settings on my router can be left to cloudflare and that I set my local dns settings under my DHCP Server (on my router) to point to the pihole lan ip address (192.168.1.8; same as my NAS). Though I haven't pointed my the guest network dhcp server dns settings to the pihole yet.

I've doubled checked this. No other DHCP server is active besides my router (not enabled on pi-hole or on NAS (or on unifi switch I've just installed on the network but is just "dumb" for now).

I haven't. I've only changed the port to access the UI to 8181.

My pihole is functioning. Today's stats show 16.6% blocked out of 2,259 queries. It seems like a low % blocked. I've checked this website and it seems to block the ads. Would it be helpful now to run a log and post it here for someone to look at? Or should I just assume it is working correctly? 16% just seems low (but what do I know)

6
There's no race for top blocking rates with Pi-hole...

...and a rate of 100% would mean you can't access anything on the internet by its host name anymore :wink:
Blocking rate is influenced by a whole bunch of factors, e.g. blocklists you use, a client's operating system (I find Apple devices to be less talkative than Windows or Android, old Androids <6.0 are the worst), extra ad blocking software on your devices (e.g. Blokada for smartphones or uBlock Origin in browsers), and even the site's you visit.
If you'd spend the whole day reading Pi-hole's forum exclusively, your blocking rate would be close to zero (some telemetry OS requests might be blocked).

So there can be no serious recommendation as to whether your 16% blocking rate is good or you need to take action immediately.

All I can say is it doesn't look unusual.

In fact, the blocking rate as shown by Pi-hole is not even a good indicator of how much traffic actually is being blocked. A client just asks for a host name's IP address once and then communicates to that IP address after. There is no deterministic way to relate blocked DNS lookups to subsequent omitted queries or even savings in download volumes.

Now, you might be tempted to pump every available blocking list into Pi-hole.
There's no need for that. In my experience, Pi-hole's default lists are already providing adequate filtering.

If you want to expand on that, go for quality and content, not for sheer volume.
WaLLy3k's Blocklist collection is a good starting point, and Steven Black's hosts files do a good job in grouping blocking lists by topics.
Focus your attention on the sites you visit regularly - if they still show ads, go tune your blacklists until satisfied. After all, it's of little use having a domain on your block list that you never visit.

I use a browser extension (uBO Scope) to help me determine what sites to block. It calculates 3rd-party exposure, but I often use it just to find out which 3rd-party domains a site tried to contact, and also which domains it did manage to contact.

A final note: Due to the nature of IPv6 with its several different ways of network (auto) configuration, IPv6 capable devices are notorious for bypassing Pi-hole. For that reason, I'd recommend disabling IPv6 within your local network, if your router supplies such an option.

1 Like
7

Good advice. I'll look at target blacklisting before adding more lists. I think it is working decently right now. We've checked some websites we frequent and pretty good.

Looking at my stats from this morning, and from other days, the time is really off. It is only 8am here central time and my day's view of the chart below shows 2pm. Have you seen this error much? I'll google around.

Thank you for your strong answers. Has really helped me on my way. Been reading a TON.

Annotation%202019-12-05%20080243
Annotation%202019-12-05%200802431538×790 130 KB

1 Like
8

Have you set your time zone in your localisation options?
RPis are lacking a real time clock (RTC), so they have to sync their time with time servers.
On a normal RPi, you would run sudo raspi-config to change your time zone.

You should also consider configuring time servers that better match your region in /etc/systemd/timesyncd.conf.