As part of my journey towards higher privacy while using internet, I decided to set up Pi-hole on my Synology NAS DS218play. If you are reading this article, you probably don’t need the following explanation, but just in case: Pi-hole is perhaps the most popular DNS sinkhole, which aims to block ads, trackers and malicious sites for all devices on your local network.

Now, your NAS is one of the best candidates for running Pi-hole since it is typically on 24/7 and connected via high-speed wired connection to your router. Since I already was an owner of Synology NAS, I started googling how to set up Pi-hole on my device. There are plenty of howto’s which describe the process, but they have one fatal flaw: they rely on the Docker (or Container Manager, as it was later renamed to) Synology package to be installed and used for the setup. And this is where it starts to get interesting: Docker is not officially supported on ARM-based Synology NASes (such as the j and play models), supposedly due to insufficient performance of their CPUs. This means you will not find the packages in the Package Manager and will not be able to install it the usual way.

There are many users asking how to install Docker (or even specifically Pi-Hole) on the DS218play and the answer is always the same - unsupported, not available, you’re out of luck, you will need to upgrade to the plus model (which uses x86 CPUs) or get a Raspberry Pi.

That is not entirely true, though, and that’s why you’re likely here. The setup requires a little bit of technical skills and bravery, but it is not an overly complicated process. It does need to be said though that the Docker support is indeed unofficial, one could even say hacky, and you are doing this at your own risk. On the upside, the Realtek RTD1296 CPU in the DS218play is perfectly capable of running a simple app such as Pi-hole in Docker (the CPU barely registers usage from multiple local network devices), and can probably run even more complex apps, so the argument related to the CPU’s performance is not entirely based on reality - it probably has more to do with Synology not wanting to maintain packages for multiple architectures, especially if moving to the + line is such a good upsell for them.

Also, while I can give you no guarantees on this, the how-to is likely to work on some other Synology models (such as DS220j, DS223j, DS118, DS218, DS418 - basically anything that has aarch64 CPU model listed here). Furthermore, based on my cursory Google research, changing the architecture in below scripts from aarch64 to armhf might allow you to use it for the ARMv7 models (such as DS218j, DS216j or DS416) as well.

Prerequisites

OK, now that you have been warned and given necessary context, let’s see what we will need:

• Access to the Synology NAS using a privileged user (can be your regular user but should be in the administrators group - i.e. the main account you use to manage the NAS using DSM
• DSM version 7.2.x (tested on 7.2.1, likely works on all 7.x.x)
• Enabled SSH access (see below)
• Internet access (duh)
• An SSH client (PuTTY is a great one if you’re on Windows, but you can also install an ssh client from Windows; Linux and Mac usually comes with a command-line SSH client)

Enabling SSH access to your NAS

Your Synology NAS may not have a remote terminal access enabled. This is how you enable it:

1. Open Control Panel.
2. Go to Terminal & SNMP.
3. Check the Enable SSH service checkbox.
4. Done!

In case the port is set to anything else than the usual port 22, you should make a mental note of that number.

Step-by-step instructions

Connecting and gaining root access

1. Use your SSH client to connect to the NAS. You will need to specify the NAS’s IP Address - if you do not know it, you can find it out in Control Panel → Network → Network Interface. Mine is 192.168.0.101 and let’s say the main user account is “tom”.

ssh tom@192.168.0.101
If you are using a different port than 22, add the -p parameter, e.g.:
ssh tom@192.168.0.101 -p 22345
2. You might be prompted to accept the host’s key the first time you connect. Accept it.
3. Now enter the password for tom’s account - this is the same as you use to log in into DSM using your browser.
4. Now you should be remotely connected to your NAS, but we need to get the system administrator (root) privileges. On DSM, simply type sudo -i and use the same password as in step 3.
5. Now the command line should say something like root@nas (or whatever hostname you chose after the @ sign).

Docker installation

1. Navigate to you main user’s home directory.
   cd /volume1/homes/tom/
   Note that you will need to adjust the username and potentially the volume number based on your system’s settings.
2. Grab the file below and save it to your desktop computer. Let’s call the file get-docker.sh

#!/bin/bash
set -e

ARCH=aarch64
DOCKER_VERSION=20.10.9
COMPOSE_VERSION=2.5.1
DOCKER_DIR=/volume1/@docker

echo "Downloading docker $DOCKER_VERSION-$ARCH"
curl "https://download.docker.com/linux/static/stable/$ARCH/docker-$DOCKER_VERSION.tgz" | tar -xz -C /usr/local/bin --strip-components=1

echo "Creating docker working directory $DOCKER_DIR"
mkdir -p "$DOCKER_DIR"

echo "Creating docker.json config file"
mkdir -p /usr/local/etc/docker
cat <<EOT > /usr/local/etc/docker/docker.json
{
  "storage-driver": "vfs",
  "iptables": false,
  "bridge": "none",
  "data-root": "$DOCKER_DIR"
}
EOT

echo "Creating docker startup script"
cat <<'EOT' > /usr/local/etc/rc.d/docker.sh
#!/bin/sh
# Start docker daemon

NAME=dockerd
PIDFILE=/var/run/$NAME.pid
DAEMON_ARGS="--config-file=/usr/local/etc/docker/docker.json --pidfile=$PIDFILE"

case "$1" in
    start)
        echo "Starting docker daemon"
        # ulimit -n 4096  # needed for influxdb (uncomment if your limit is lower)
        /usr/local/bin/dockerd $DAEMON_ARGS &
        ;;
    stop)
        echo "Stopping docker daemon"
        kill $(cat $PIDFILE)
        ;;
    *)
        echo "Usage: "$1" {start|stop}"
        exit 1
esac
exit 0
EOT

chmod 755 /usr/local/etc/rc.d/docker.sh

echo "Creating docker group"
egrep -q docker /etc/group || synogroup --add docker root

echo "Installing docker compose $COMPOSE_VERSION"
curl -SL "https://github.com/docker/compose/releases/download/v$COMPOSE_VERSION/docker-compose-linux-$ARCH" \
     --create-dirs -o /usr/local/lib/docker/cli-plugins/docker-compose
chmod +x /usr/local/lib/docker/cli-plugins/docker-compose
chgrp -R docker /usr/local/lib/docker

echo "Starting docker"
/usr/local/etc/rc.d/docker.sh start

echo "Done.  Please add your user to the docker group in the Synology GUI and reboot your NAS."

Credits to DaveMDS
_Note: The versions of Docker and Docker Compose might be outdated when you read this. If you want to use the the latest versions, check them here and here. _

1. Upload the get-docker.sh file to your home folder in DSM: Open File Station, navigate to your home, click on Upload and the Upload - Overwrite.
2. Now back to SSH terminal - make the script executable:
   chmod +x ./get-docker.sh
3. Run the installation script:
   ./get-docker.sh
4. Docker should now be installed! Let’s follow the instruction to add our user to the docker group: go to Control Panel → User & Group → Group → select docker → Edit → Members → select the checkbox next to tom (your main user) → Save.
5. Reboot your NAS!

Installing Pi-Hole

1. While your NAS rebooted, your SSH session got disconnected, so you will need to repeat steps from the above section Connecting and gaining root access.
2. Using the same process as with the get-docker.sh file, upload the below script and name it install-pihole.sh. Do not forget to change the value of the PIHOLE_PWD variable.

#!/bin/bash

IP_ADDRESS=$(ifconfig eth0 | awk '/inet addr/ {gsub("addr:", "", $2); print $2}')
TZ=$(realpath --relative-to /usr/share/zoneinfo /etc/localtime)
PORT=8080
PIHOLE_PWD="piholepwd"

PIHOLE_BASE="${PIHOLE_BASE:-$(pwd)}"
[[ -d "$PIHOLE_BASE" ]] || mkdir -p "$PIHOLE_BASE" || { echo "Couldn't create storage directory: $PIHOLE_BASE"; exit 1; }

echo -e "Setting up pihole container at ${IP_ADDRESS}:${PORT} (timezone ${TZ})"

docker run -d --name=pihole \
-e WEB_PORT=$PORT \
-e WEBPASSWORD=$PIHOLE_PWD \
-e WEB_BIND_ADDR=$IP_ADDRESS \
-e TZ=$TZ \
-e DNSMASQ_USER=root \
-e DNSMASQ_LISTENING=local \
-v /volume1/docker/pihole/dnsmasq.d:/etc/dnsmasq.d \
-v /volume1/docker/pihole/pihole:/etc/pihole \
--net=host \
--restart always \
pihole/pihole

printf 'Starting up pihole container '
for i in $(seq 1 20); do
    if [ "$(docker inspect -f "{{.State.Health.Status}}" pihole)" == "healthy" ] ; then
        printf ' OK'
        echo -e "\nPi-hole running at http://${IP_ADDRESS}:${PORT}/admin/ - use password '${PIHOLE_PWD}' to log in."
        exit 0
    else
        sleep 3
        printf '.'
    fi

    if [ $i -eq 20 ] ; then
        echo -e "\nTimed out waiting for Pi-hole start, consult your container logs for more info (\`docker logs pihole\`)"
        exit 1
    fi
done;

The script was adapted from the official pi-hole example.

1. Run the Pi-hole installation script (assuming you’re in the main user home directory again):
   ./install-pihole.sh
2. Downloading and setting up the pihole container may take some time. Once it is done, you should see a message like this:
   Pi-hole running at http://192.168.0.101:8080/admin/ - use password 'piholepwd' to log in.
3. If everything went well, navigating to http://192.168.0.101:8080/admin should lead you to the Pi-Hole login screen. Success!
4. Do not forget to configure your NAS’s IP address as the DNS server for your network - this would typically be done in the router settings, for example like so.

Additional considerations

• Since Pi-hole is now the sole resource for DNS resolution, it becomes a critical part of your network infrastructure. If the NAS or Pi-Hole itself stops working or gets disconnected, none of the clients on your network will be able to connect to the internet. This can be easily fixed by rebooting/reconnecting your NAS or simply reverting the router DNS settings to default or, for example, to Cloudflare’s 1.1.1.1 DNS server, but you can only do that if you are physically at home (or have other means of connecting to your router).
  • To prevent my loved ones from undergoing the terrible torture of not having access to the internet when I’m not at home (and also for general peace of mind), I decided to build redundancy into my Pi-Hole setup: I bought a super-cheap used Raspberry Pi 2 and added it as another Pi-Hole to my home network. I actually use the RPi2 as my primary DNS server and the NAS one as the secondary one (most routers will allow you to specify two DNS servers for your WAN), and have not had any issues with this setup so far. Knock on the wood.
  • Tip: Use the Teleporter feature to easily sync settings between the two Pi-Holes.
• The setup above persists even through NAS reboots (docker will start automatically, and so will Pi-Hole), and it also survives DSM patches (7.2.x), but I have yet to test whether it survives minor updates (7.x.x). I will update this article with my findings once I have an opportunity to test it.
  • My hunch is that minor updates will be fine, but I am fairly certain that a major update (to DSM8) will likely need a docker reinstall. However, since the scripts are stored in my home folder, SSHing to the NAS and running them again will be minimal effort, should any of the DSM updates disrupt the setup.

Support Pi-Hole!

Pi-Hole is a wonderful project that objectively improves the digital life of many people. If it is the case for you, consider supporting the creators - surely your privacy on the internet is worth a donation of few bucks.