Wouldn’t it be amazing to have an home DNS server which filters Advertisements, Malicious Sites or other bad sites’ categories and recursively resolves the names without using official DNS servers like the one provided by Google, CloudFlare or OpenDNS, for example?


  • 17 April 2021: added DNSSEC validation section

Provider DNSs

The majority of people uses internet at home without messing up with the configuration of the modem/router provided by the Telco and they use the provider’s DNS servers which are returned automatically by provider when the modem brings up the PPPoE connection when it is powered up.

Free public (and faster) DNS servers

The first step to have a better surfing experience at home is to connect to the router and change the DNS servers returned on the local LAN by the DHCP server replacing them with some public DNS…

In this article I will show you how to collect and send Pi-hole stats to an influxdb2 bucket by using a simple Python script pihole-to-influxdb2.py or my giannicostanzi/pihole2influxdb2 docker image you can find on DockerHub

As I’ve shown at the end of my Recursive DNS Resolver with AD-Blocking Features — Part 1 article, I’ve implemented some Grafana Dashboards to monitor the performance of the Pi-holes services running in my home network, one on a Raspberry Pi3 and one on a Synology NAS. Let’s see how you can collect stats via Pi-hole web API.

Pihole Web API

Pi-hole service exposes a GUI that you can use to configure it and to view some performance data on standard HTTP port 80/tcp. The same port is used also to expose information in a JSON format, just visit http://your_pihole_server:port/admin/api.php

Obviously you can…

Installing SecNS Unbound with DNSSEC enabled is quite easy, let’s see how you can configure it as the Unbound instance previously configured on Raspberry in Part 1 of this series of articles.


As we did in Recursive DNS+AD-Blocker — Part 2: Installing Pi-hole without caching on Synology NAS with Docker, in order to have a redundant Pi-hole+Unbound stack (detailed in Recursive DNS Resolver with AD-Blocking Features) in my home network, I doubled also the Unbound server, choosing again my Synology NAS as a great target.

Choosing the Right Image

Since in Part 1 we did not enable DNSSEC validation in Pi-hole, we want to enable it in our Recursive DNS Resolver Unbound. After digging a while and doing some tests, I’ve chosen as image the one provided by SecNS, which is secns/unbound.

Implementing SNAT/DNAT on Fortinet Firewalls has never been straightforward as on other platforms like Checkpoint, in my opinion, at least before the introduction of Central NAT. Let’s see how to implement a subnet-to-subnet 1-to-1 translation with deterministic mappings, using VirtualIPs (DNAT) and Fixed-Port-Range IP-Pools (SNAT).


I’ve recently had to migrate some firewall security and NAT rules from Checkpoint to Fortinet firewalls and faced some challenges due to the different behavior of the two technologies. Checkpoint applies security policies first (at least the version I’m using) and then it checks the NAT policies and applies both source and destination NAT. …

Installing Pi-hole on a Synology NAS with Docker is quite trivial, disabling caching is not, so let’s see how to do it. You will also learn how to build your own docker image that overrides default cache settings. Key info is generic so it is valuable for other Docker installations too, if you’re not running Docker on a Synology box.

Update 18 April 2021: added link to my public giannicostanzi/pihole-nocache image on Docker Hub

Update 01 May 2021: added link to Dockerfile sources on my GitHub Page MightySlaytanic/pihole-nocache


In the previous post Recursive DNS Resolver with AD-Blocking Features I’ve explained how to implement on a Raspberry Pi device a DNS resolver that blocks ADs and malicious sites (Pi-hole) and resolves names recursively (Unbound) without relying on official DNS servers like Google ones. As I’ve said in that post I have deployed two Pi-holes and two Unbound servers in my home network, to have a bit of redundancy when I’m doing…

Wouldn’t it be amazing to have no services exposed to simple scanners that continuously scan the public network’s IP addresses without giving up accessing your home network’s resources from the Internet?


A lot of people that have a server or NAS at home require to publish some services on the Internet, through the so-called port forwarding technique on their home routers. Exposing services makes them detectable by port scanners, which can understand what machines or servers are running in your home network, which version of software they run and what vulnerabilities may affect them. This analysis can be the first step for a malicious user that wants to penetrate into your intranet.

The linux knockd daemon solution

Some years ago my home router was a simple low-power alix-1c mini-computer and I’ve accomplished the task of having…

Some network devices and PCs can listen for incoming special packets on their ethernet interfaces even when shutdown, and this is used to allow them to be powered up with a special magic packet, which is used by Wake-On-Lan (from now WOL). Let’s see how we can use WOL from Public Network on our home RouterOS-based Mikrotik Router.

WOL is usually done by generating a packet with destination IP address the broadcast address of the network (in a common network, it is directed to or, which produces an ethernet frame with FF:FF:FF:FF:FF:FF destination mac address. This broadcast frame is processed by all the hosts on the lan segment. What does it make this packet magic? The fact that it must contain the Mac Address of the device to be woken up, repeated 16 times. When the powered off device’s ethernet card detects this special frame, it powers up the device.

Usually the magic packet is…

Gianni Costanzi

Network Engineer, Music Lover, Motorbike Rider, Amateur Photographer, Nerd-inside

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store