Homelab Network Monitor
Full-stack DNS-level ad blocking and traffic visibility
01. Overview
I wanted visibility into what was happening on my home network — not just whether devices were reachable, but which ones were chatty, what domains they were phoning home to, and whether anything unusual was happening at 3 AM. The result is a fully self-hosted monitoring stack that runs on a Raspberry Pi 4 and generates a weekly digest email I actually look forward to reading.
An added benefit: the DNS-level blocking alone eliminated ads and tracking from every device on the network — including smart TVs and mobile apps — without needing a browser extension on each one.
02. Stack Architecture
DNS sinkhole
Intercepts all LAN DNS queries. Blocks ad, tracking, and malware domains via curated blocklists. Forwards unblocked queries to Unbound.
Recursive resolver
Resolves DNS queries by walking the root nameserver chain rather than forwarding to a third-party resolver. Supports DNSSEC validation.
Metrics agent
Scrapes Pi-hole FTL API and system metrics every 30 s. Forwards to InfluxDB over the line protocol.
Time-series database
Stores all metrics with a 365-day retention policy. Handles ~50k data points per day.
Visualisation
Dashboards for per-device query volume, top blocked domains, query latency, and 30-day block rate trends.
Alerting
Triggers on anomalous query spikes (possible DNS exfiltration or C2 beaconing) and Pi-hole downtime.
03. How It Was Built
DNS configuration
The router's DHCP server was reconfigured to hand out the Pi's IP as the sole DNS server for all LAN clients. Pi-hole receives queries, checks them against its blocklist database (which I curate from several maintained feeds — StevenBlack, OISD, and a custom list for smart-home phone-home domains), and forwards clean queries to Unbound on localhost port 5335.
Metrics pipeline
Telegraf polls the Pi-hole FTL (Faster Than Light) API every 30 seconds and pushes metrics to InfluxDB. The InfluxDB instance uses a continuous query to downsample raw data into 5-minute averages for long-term storage, keeping the database footprint small. Total disk usage after a year of data is under 2 GB.
Anomaly alerting
An Alertmanager rule fires if any device sends more than 500 DNS queries in a five-minute window (roughly 10x the normal rate) — a heuristic for beaconing C2 traffic or a misconfigured app in a retry loop. A second rule alerts if Pi-hole FTL stops responding, which would cause DNS to fail silently for all LAN devices. Alerts route to a webhook that posts to a self-hosted Ntfy instance on my phone.
Weekly digest
A Python script runs on Sunday night via cron, queries InfluxDB for the past 7 days of data, and generates an HTML email with the top 10 queried domains, top 10 blocked domains, per-device query breakdown, and overall block rate. Sent via SMTP relay through Mailgun's free tier. The email is the most reliable way I've found to actually notice if something unusual is happening.
04. Results
~28%
DNS queries blocked
<1 ms
avg query latency
18
devices monitored
365 day
data retention
05. Lessons Learned
- → Using Unbound as a recursive resolver instead of forwarding to 8.8.8.8 eliminates one external dependency and improves privacy meaningfully.
- → Some smart home devices hardcode Google or Cloudflare DNS and ignore DHCP settings. pfSense firewall rules can intercept and redirect port-53 traffic to Pi-hole regardless.
- → The weekly digest email revealed that a cheap smart plug was making ~3,000 DNS requests per day to an unfamiliar Chinese CDN. That plug is now on a restricted VLAN.
- → Blocklist over-blocking is real. Maintain a custom whitelist from day one — the first week will surface legitimate domains that popular lists incorrectly block.