Avoid The Hack: The Best Pi-Hole Blocklists (2024)

/ data privacy, DNS, pihole

This post was originally published on 26 APR 2021; it has since been updated and revised.

Looking for solid and maintained blocklists to round out the blocking capabilities of your Pi-Hole install? You've come to the right page.

Preface

While this post is geared towards users with a Pi-Hole on their network, it can also be applied to adblocking/domain filtering DNS providers with custom list loading options and browser ad/tracker blocking plugins like uBlock Origin, though users should double-check whether the format is compatible with their service/platform.

Why dedicate a whole post to just ad blocklists? The short story is, ads suck. They pose a considerable cybersecurity risk in the modern threat landscape for the regular user (you), are ridiculously privacy invasive, and can be difficult to keep blocked.

Ad blocking lists can easily become outdated and useless, so to keep on top of blocking ads, it's usually best to use lists/services that update blocking lists frequently.

Note:A DNS sinkhole like Pi-Hole isn't the only way to block ads; ads can be blocked in the browser and on-device as well.

Picking your blocklist(s)

Use these points as a helpful reference for picking what blocklists you want to use for your Pi-Hole set up. It is important to consider what and why you are blocking, understand the networking needs of the devices on your network, minimize false positives and redundancy, and know when to whitelist a domain.

1. Consider your "threat" model

In this specific case, you'll want to ask yourself two questions:

  1. What do you want to block? (Malware domains, Advertising, Trackers, Telemetry, Parental Control, etc)

and

  1. What are your reasons for blocking it? (AKA: Why?)

For example, are you...

  • Wanting to block excessive device telemetry because constant requests are slowing down your network?
  • A parent wanting to block malware and adult-content related domains network wide (irrespective of device) because you don't want your kids visiting such sites?
  • Wanting to block intrusive ads across your entire home network because you're tired of targeted and privacy invading ads?
  • Concerned about the potential security risks posed by targeted ads or malvertising in general? )

red skull and crossbones on a green vector background

This isn't to say that you need specific justification for blocking certain things via Pi-Hole, but it's definitely important to consider what you need blocked and for what reason. You'll want your Pi-Hole to be efficient and provide the most benefit for you and your network.

Additionally, when you take into things like basic device functionality into account, you'll find that just blocking "everything" is often times not feasible.

Blocking everything usually means many things tend to break, and some devices/services/websites become totally unusable/inaccessible if you go for a "nuke everything" approach. This can easily become more hassle than its worth, so it's best to plan accordingly.

2. Consider devices on your network

You'll want to heavily consider just what devices run on your home network.

How many devices are connected to your Wi-Fi? What types of devices are these? Keep in mind that many "Smart devices" may connect to your home network.

Some of these might include...

  • Gaming consoles (ex: Xbox)
  • Smartphones (ex: iPhone)
  • Laptops
  • Desktops/PCs
  • Smart watches (ex: Garmin's smart fitness trackers)
  • Tablets (ex: iPad)
  • Smart TVs
  • Streaming devices/sticks (ex: Roku)
  • Smart appliances (ex: "Smart fridges")
  • Various IoT devices (ex: smart thermostats, internet-capable security cameras)

For example, while you may wish to block your Windows 10 PC from sending a ton of information (AKA telemetry) to Microsoft, it might not be beneficial for you to block every request related to known Microsoft domains (such as microsoft.com or things served with their cloud platform, Azure.)

Doing so could adversely affect the functionality of your device, such as receiving critical updates to crucial services and/or updating the operating system itself.

example diagram of a home network

For example, if you go as far as to block things related to its Azure cloud platform, you can go as far as breaking websites relying on Azure for all devices on your network. The process of steadily "unbreaking" everything can be frustrating and time-consuming for many users. Quite frankly, finding out where things went wrong isn't fun or conducive for people who want some protection that just works.

What's more is that when you consider your devices, you should also consider some of the internet-connected services they might use...

For example, if you're an avid streamer, then you may not want to blindly block everything reaching out to a hulu.com related domain - else you won't be able to launch and watch hulu on your home network.

Likewise, if you're a console gamer, you might not want to totally block all domains associated with Sony, Microsoft, or Nintendo - or else your console might not function properly in some areas, such as online gaming or recording achievements.

This isn't to say that you can't block some requests to microsoft.com or hulu.com, just that you may not want to blacklist the entire domain or everything associated with it.

3. More is not always better

Say it with me: More. Is. Not. Always. Better.

Listen, I know that the resources linked here have a ton of blocking lists.

I also know that some of these blocking lists are huge.

It may be tempting to use each and every blocklist found here or elsewhere. However, I'm strongly advising you not to do that.

man holding up "help" sign buried underneath a mess of books

Why? Many of these blocklists borrow from each other. Because of this, if you use all of them, you'll find yourself with a lot of overlap and needless redundancy.

Redundancy reduces efficiency and wastes resources. Additionally, the more lists you use, then the more likely you are to run into false positives, which can really be a pain in the ass to deal with.

Remember: a "nuke everything" approach is not necessarily the best approach here. Overall, you want to find a balanced solution that both increases your level of privacy - and in many cases, improves security - while maintaining good functionality. You should keep in mind your own threat model.

In fact, in some cases, you may find that the stock blocklist fits your personal needs, which is perfectly fine. More is not always better - remember that!

4. Don't be afraid to Whitelist

If you plan on running an aggressive blocking set up, then you shouldn't be afraid to whitelist certain domains.

Whitelisting = allow listing. It is the opposite of blocking.

It seems counterintuitive but here is the logic... the more "aggressive" you are with blocking, then the more likely (legitimate) websites/services are to break. Aggressive blocking can also increase the frequency of false positives.

This doesn't necessarily mean that you have to be any less aggressive in your blocking - especially if your threat model calls for it or you don't mind dealing with breakage. However, to maintain functionality you might want to take care by whitelisting domains that totally break things when blocked.

multiple shields with check marks on blue overlayed server room background

When you whitelist those blocked domains that cause substantial breakage, you can more easily continue to run aggressive blocklists. However, you should be forewarned that you'll need to stay on top of updating your whitelist, as these domains can change just as readily as ad, tracker, and malware serving hosts.

For example, a whitelisted domain can become obsolete by either not resolving or having whatever crucial service it was providing moved to another host (with a different domain.) Or perhaps you no longer have a device/app that requires the whitelist.

You may also find that your whitelist grows with time. This can be due to a number of different factors, such as:

  • the addition of new devices on your network
  • new updates to software
  • additional apps on your devices

"Stock" Blocklists

If you weren't aware already, PiHole comes out-the-box with an optional blocklist:

https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

This blocklist is well maintained and provides good blocking functionality without breaking normal functionality. For some it might be enough, but users often find they want to add their own custom lists for enhanced blocking capabilities.

However, if there comes a time where you need or want to delete your accumulated blocklists and/or restore the "default" blocklist...

To remove existing blocklists, run this command in Terminal:

sudo sqlite3 /etc/pihole/gravity.db "DELETE FROM adlist"

To restore the default blocklists, follow the steps outlined on the PiHole discourse forum.

Blocklist Collections

EasyList

easylist website screenshot

View Blocklists Pi-Hole Version

EasyList generally refers to a collection of blocklists ran by the primary EasyList maintainers and contributing community, though "EasyList" is the primary blocking list. EasyList is immensely popular and effective; it is one of the adblocking lists loaded into highly regarded and effective wide spectrum ad/tracker blocker, uBlock Origin, by default.

EasyList was originally designed for Adblock, but has been adapted to many adblocking solutions. This includes Pi-Hole; to view the version of EasyList adapted for use with Pi-Hole, use the appropriate button above.

EasyList generally provides a solid foundation of protection from the tracking that generally comes with ads online. Though, adding its supplemental lists, such as EasyPrivacy, can cause some breakage, depending on the services and websites you regularly use on your network.

DNS Blocklists by hagezi

screenshot of hagezi dns blocklist github repository

View Blocklists

The blocklists found here are separated into numerous categories. However, the lists most people would be interested in are the "multi" lists, which come in various sizes and aggressiveness. These lists use a wide variety of sources, which can be found here.

For users with specific needs, there are also lists which focus on common themes; for example, there are block lists for gambling, anti-piracy, and known badware hosts.

Note, if you run any of the the "multi" lists, you likely shouldn't run any of the other specific lists due to redundancy. Likewise, since these the large "multi" lists are compiled from a wide variety of lists, you may want to consider only using a single "multi" list.

The Firebog (WaLLy3k)

firebog website screenshot

View Blocklists

The lists found at The Firebog are separated several ways. First, the lists are separated into categories:

  • Suspicious
  • Advertising
  • Tracking & Telemetry
  • Malicious
  • Other

Then, they're separated into green and blue. Green is the least likely for breakage, whereas blue lists are more likely to break things.

You should avoid the crossed out lists. Feel free to experiment mixing the more aggressive "blue" lists with the less aggressive green ones. Note that some lists are updated more frequently than others, even if they are not crossed out.

For many users, the categories and green/blue lists found here should cover what you need and/or want your Pi-Hole to block.

The Blocklist Project

blocklist project screenshot of github readme page

View Blocklists

Note: As of July 2024, this project is undergoing a rewrite. While it appears lists are still updated periodically, they may not be updated as readily as others.

This project lists a variety of lists for easy tailoring to user's blocking needs. These lists can be used in any combination and are definitively supported in Pi-Hole and AdGuard Home.

Most users will want to check out the Advertising, Tracking, and Malware lists. Users looking for more protection could also look at the Phishing, Fraud, and Scam lists.

Social Media focused lists, such as the Facebook, Twitter, and TikTok lists aim to block domains/hosts known to be associated with these social media platforms, regardless of purpose.

Depending on other needs - such as parental control/content moderation needs - users can also check out the list types blocking dubious activities and content (whether legal or not), such as gambling.

Lists here are well maintained and updated frequently. The contributors behind this project are constantly adding new list categories and types, as well as quickly processing removal and addition requests.

Combo blocklists

OISD Domain Blocklist

oisd website screenshot

This list comes in 3 main flavors: Basic, Full, and Not Safe For Work (NSFW).

While this list is big and incorporates many other lists, it remains controversial in the Pi-Hole community. Please use at your discretion.

Basic primarily blocks advertisements whereas Full contains everything from advertisements, malware, scam/phishing, telemetry, tracking, etc. Additionally Full includes everything from the Basic and NSFW lists.

The Full list is massive and incorporates a ton of smaller blocklists. If you run this one, chances are you won't need to run any other lists as there will be a lot of needless overlap.

The NSFW list blocks domains that are known to host pornographic content not limited to known porn streaming/downloading sites.

However, this results in you having to place a lot of trust in a single party. You also will not be able to assign different lists , which negates the "Group management" feature of PiHole. Group management has the capability of applying different blocking rules to different user-defined "groups."

The OISD lists are updated approximately every 24 hours.

View Blocklists

RegEx Blocking

Pi-Hole features RegEx (regular expression), which can create more complex filter rules for your Pi-Hole set up. This is often described as an "advanced" function, but any user can take the time to learn how to properly write RegEx entries.

RegExes are actually used in a variety of applications -- not just Pi-Hole. Perhaps the main purpose for RegEx is for filtering, most notably while performing a search. The search function (CTRL + F) in your browser is an excellent example of RegEx filtering as a search function; the page gets "filtered" based on what you input into this search function.

So, naturally that begs the question: How does RegEx apply to Pi-Hole specifically? Generally speaking, Pi-Hole uses RegEx rules to filter domains. The domains that "hit" on your RegEx rules can be either blocked or whitelisted. The RegEx entries function alongside your blocklists.

The key to using RegEx with your Pi-Hole is not to be too general or broad. With RegEx, specificity is good. General rules exponentially increase the likelihood you'll run into false positives or significant breakage in usability. Ideally, you'd use a recommended RegEx list like below versus creating one from scratch; but as always, if your threat model calls for it, feel free to edit as you see fit!

A highly recommended RegEx list can be found on GitHub: Recommended RegEx list

Learn to create RegEx entries for your Pi-Hole with the official documentation: More info on RegEx

Synergies with Pi-Hole

While Pi-Hole is a solid tool for blocking ads, especially on a home/small network, it is certainly not the definitive end all for blocking ads. Pi-Hole is but one (good) solution for blocking ads on a network-level, but it also pairs well with other methods of blocking ads, trackers, and malware hosts.

Self-hosted or trusted DNS providers

Pi-Hole is a forwarding resolver - it needs an upstream DNS to pass requests off to. Users can self-host a local recursive DNS resolver using software like Unbound (Pi-Hole and Unbound are regularly recommended together), though depending on the user and their available resources, this may not be feasible.

With a trusted DNS provider, the upstream DNS can also provide blocking and filtering capabilities, which could synergize well with Pi-Hole's local filtering on the network (prior to passing other requests off to the upstream. There's a separate post dedicated to listing recommended filtering-capable DNS providers .

Browser-level blocking

Overall, the browser is probably the most used application on any given device. Just because you are running a Pi-Hole, doesn't mean you can't benefit from browser-level adblocking or using a privacy-oriented browser in general.

In fact, blocking ads on the browser-level can help conserve resources on the device hosting the Pi-Hole - the requests never make it to the Pi-Hole for filtering/passing for resolution.

Users may use a browser with built-in adblocking capabilities or use uBlock Origin.

Host-based firewalls

Host-based firewalls are installed on devices and are designed to enable users to be 1) aware of network connections their devices are making (outside of the browsing experience) and 2) fine-tune the network connections their devices make. Host-based firewalls generally have capabilities extending beyond just adblocking, but can be effective for filtering out unwanted connections to remote hosts - which include ad, tracker, and malware serving hosts.

For example, Portmaster - available on Windows and Linux platforms - can be specifically configured to forward DNS requests for the device to Pi-Hole.

...

With that said, happy blocking and as always, stay safe out there!

Next Post Previous Post