This post was originally published onApril 26, 2021; it has since been updated and revised.
If you're looking for solid blocklists for your PiHole, here's a collection of mega blocklists for you.
We also have some words of wisdom for you when it comes to using these blacklists.
Don't have a Pi-Hole installed? So you can follow thatATH guide to setting up a Pi-hole in your network.
Choose your blacklist(s)
Use these points as a handy reference for choosing the blacklists you want to use for your PiHole.
1. Consider your "threat model."
In this specific case, you should ask yourself two questions:
- What do you want to block?(malware domains, advertising, trackers, telemetry, parental controls, etc.)
mi
- What are your reasons for being banned?(AKA: why?)
For example, are you...
- I want to block the excessdevice telemetrybecause constant orders areslow down your network?
- a father wantsBloquear-Malwaremiadult content domainsover the network (regardless of the device) because youI don't want your children to visit these sites?
- To wishBlock intrusive adsthrough your home network because you areTired of targeted ads and privacy invaders?
esIt is notLet's say you need a specific justification for blocking certain things via PiHole, but it's definitely important to consider what you need to block and why. You want your PiHole to be efficient and provide maximum benefit to you and your network.
When you consider things like basic device functionality, you'll find that simply blocking "everything" is often not feasible.
Blocking everything usually means breaking a lot of things and making some devices/services/websites completely unusable/inaccessible if you take a "shred everything" approach.
2. Look at the devices on your network
You should seriously consider what devices are running on your home network.
How many devices are connected to your WiFi? What are these devices? Remember that many "smart devices" can connect to your home network.
Some of these may...
- Game consoles (for example, Xbox)
- Smartphones (z. B. iPhone)
- laptops
- Desktop computers/PCs
- Smart watches (z. B. Smart Fitness Tracker from Garmin)
- Tabletas (z. B. iPad)
- smart tvs
- Dispositivos/Sticks de Streaming (z. B.: Roku)
- Smart appliances (for example, "smart fridges")
For example, while you want to prevent your Windows 10 PC from sending a lot of information (also known as telemetry) to Microsoft, it may not be beneficial to block all requests related to known Microsoft domains (such as microsoft.com or Things to do with your cloud platform, Azure.)
This may affect the functionality of your device, e.g. B. receive critical updates for important services and/or update the operating system itself.
For example, if you go as far as blocking things related to your Azure cloud platform, you could go as far as breaking certain websites that rely on Azure for all devices on your network. The process of constantly "unlocking" everything can be frustrating and time consuming for many users. Honestly, figuring out where things went wrong is neither fun nor conducive to making people want what they want.it just works
When considering your devices, you should also consider some of the Internet-connected services they might be using...
For example, if you're an avid streamer, you might not want to blindly blockallAccess a domain related to hulu.com; otherwise you won't be able to start or watch hulu on your home network.
If you're a console gamer, you may not want to blacklist all domains associated with Sony, Microsoft or Nintendo, or your console may not work properly in some areas, e.g. B. in online games or when saving achievements.
esIt is notto say that you can't block some requests to microsoft.com or hulu.com, just that you might not want to blacklist the entire domain, orallassociated with her.
3. More is not always better
say it with meMore. IS. No. hehe To improve.
Listen, I know the resources linked here have a lot of blacklists.
I also know that some of these blacklists are huge.
It might be tempting to use any blacklist found here or elsewhere. However, I strongly advise against it.NoDo that.
You see, many of these blacklists are borrowed from one another. So if you useaYou will face a lot of overlap and unnecessary redundancy.
Redundancy reduces efficiency and wastes resources. The more lists you use, the more likely you are to be foundfalse positive, which can be really annoying.
Remember: this is a "destroy all" approachNoThis is definitely the best approach. In general, you want to find a balanced solution that improves yours.privacy levelwhile keepinggood functionality.
In some cases, even youI coulddetermine that the stock blacklist meets your personal needs, which is perfectly acceptable. More is not always better, remember!
4. Don't be afraid of whitelisting
If you plan to run an aggressive blocking setup, don't be afraid to whitelist specific domains.
It seems counterintuitive, but here's the logic... the more "aggressive" you are when blocking, the more likely you are to break (legitimate) websites/services. Aggressive blocking can also increase the frequency of false positives.
That doesn't necessarily mean that youhaveBe less aggressive when blocking, especially if your threat model requires itoThey don't mind dealing with fractions. However, to maintain functionality, be careful when whitelisting domains that completely break things when blocked.
By whitelisting blocked domains that cause significant damage, you can more easily continue to run aggressive blacklists. However, you should be warned to be aware of updating your whitelist, as these domains may change slightly.
For example, a whitelisted domain could become obsolete if the key services it provides are not resolved or moved to a different host (with a different domain). You may no longer have a device/app that needs to be whitelisted.
You may also find that your whitelist grows over time. This can be due to a number of different factors which are not limited to:
- Add new devices to your network
- New updates
- additional apps on your devices
"Inventory" block list
In case you didn't know, PiHole comes with an optional blacklist:
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
This blacklist is well maintained and offers good blocking functionality without breaking normal functionality. It may be enough for some, but users often find they want to add their own custom lists for advanced blocking capabilities.
However, if the time comes when you need or want to clear your accumulated blacklists and/or restore the "default" blacklist...
Forremove existing blacklists, run this command in terminal:
sudo sqlite3 /etc/pihole/gravity.db "REMOVE FROM AD LIST"
ForRestore default block lists,Follow the steps described in the PiHole language forum.
blacklist collections
O Feuermoor (WaLLy3k)
The lists found in The Firebog are separated in a number of ways. First of all, the lists are divided into categories:
- Suspicious
- Propaganda
- location and telemetry
- malicious
- Of others
So they separate into green and blue. The green stripes are the least likely to break, while the blue stripes are the most likely to break.
I personally recommend using it1 a 2sperm listsAdvertising, Tracking and Telemetry, zmalicioussections.
You should avoid crossed out lists. Feel free to experiment by mixing the more aggressive "blue" lists with the less aggressive green ones.
For many users, the green/blue categories and lists found here should cover what you need and/or want your PiHole to block.
(I personally use the AdGuardDNS, Threat-Intel and SmartTV lists. UseCTRL+Fon the Firebog page to find them).
Developer Dan (lightswitch05)
Most users will want to check thisAnnouncements and Trackinglist and googlecough AMPReady. you can try thoseaggressive pursuitfurther.
These lists are well maintained and are updated very frequently.
I personally use thoseaggressive pursuitlist and found it ticked the boxes for good locking and functionality. Many users have noted glitches using this list, so be prepared to take corrective action if you find any glitches in your own use of this particular blacklist.
As always, consult your own needs and threat model when choosing which blocklists to use.
blacklist project
This project lists a variety of lists to make it easy to customize based on the user's blocking needs. These lists can be used in any combination and are definitely compatible with Pi-Hole and AdGuard Home.
Most users will want to check thisAds, tracking and malwareliza. Users looking for more protection can also refer to thePhishing, scams and scamsListens.
Lists focused on social networks likeFacebook, Twitter y Tik TokThe lists are designed to block domains/hosts known to be connected to these social media platforms, regardless of purpose.
Depending on other requirements, e.g. B. Parental Controls/Content Moderation Requirements: Users can also review the types of lists that block questionable activities and content (legal or otherwise), such as gambling.
The lists here are well-maintained and regularly updated. The contributors behind this project are constantly adding new categories and list types, and are quick to process removal and addition requests.
The list of combined blocks
OISD-Domain-Blocklist
This list comes in 3 main flavors:Basic,Completely, zNot Safe for Work (NSFW).
Basic:https://dbl.oisd.nl/basic/
Completely:https://dbl.oisd.nl/
NSFW:https://dbl.oisd.nl/nsfw/
Although this list is large and contains many other lists, it is still controversial in the pi-hole community.Please use at your own discretion.
Basicmostly blocks ads whileCompletelycontains everything from ads, malware, scam/phishing, telemetry, tracking, etc.Completelyincludes everything fromBasicmiNSFWListens.
oCompletelyThe list is huge and contains many smaller blacklists. If you run these, you probably won't need to run other lists, as there will be a lot of unnecessary overlap.
oNSFWthe list blocks domains known to host pornographic content, not limited to known porn streaming/download sites.
yet, you have to rely a lot on one piece. You also can't assign different lists, which defeats PiHole's "group management" feature. Group management has the ability to apply different blocking rules to different custom "groups".
OISD rosters are updated approximately every 24 hours.
RegEx lock
Pi-Hole has RegEx (Regular Expression) which can be used to create more complex filter rules for Pi-Hole setup. This is often called an "advanced" feature, but any user can take the time to learn how to write RegEx entries correctly.
RegExes are actually used in a variety of applications, not just Pi-Hole. Perhaps that is the main purpose of RegExfilter, especially when conducting a survey. The search function (CTRL + F) in your browser is an excellent example of RegEx filtering as a search function; The page is "filtered" based on what you type in this search function.
This of course raises the question: how does the regexp apply specifically to pi-hole? generally,Pi-Hole uses RegEx rules to filter domains.Domains that "match" your regex rules can be blocked or whitelisted. RegEx entries work together with your blacklists.
The key to using RegEx with your Pi-Hole isNobe too general or broad.With RegEx, the specificity is good.Rules of thumb exponentially increase the likelihood that you will encounter false positives or significant usability breaks. Ideally, you'd use a list of recommended regex like the following instead of creating one from scratch; But as always, if your threat model requires it, feel free to edit it however you like!
You can find a highly recommended list of regular expressions on GitHub:List of recommended regular expressions
Learn how to create RegEx entries for your Pi-Hole with the official documentation:Learn more about RegEx
Additional Information
While Pi-Hole is a solid ad-blocking tool, especially on a home/small network, it's certainly not the best ad-blocking tool. There are many ways to block ads, trackers, and malware. Fortunately, many other ways to block ads and trackers work well when combined with a self-hosted network blocking solution like Pi-Hole.
uBlock Origin is a reliable and open source tracker blocker plugin for browsers. It is highly recommended in the privacy community. That is normalrecommended forInstall uBlock Origin in a browser even if you use a network-wide ad blocking software like Pi-Hole.
it's possibleBlock ads, trackers and known malware domains at the browser, device and network levelsimultaneously; Also, there are different ways to do this at different levels. Avoidthehack likes to call this "deep blocking," which is an allusion to the cybersecurity concept of "defense in depth."
Pi-Hole typically requires an upstream DNS server to forward DNS requests. While users can self-host a local recursive DNS resolver like Unbound, this is not always feasible.Users can pair the Pi-Hole with upstream domain filtering (blocking) and an encrypted DNS service.
...
With that in mind, happy lockdown, and as always, stay safe!
FAQs
Does Pi-hole block everything? ›
Because Pi-hole blocks domains at the network level, it is able to block advertisements, such as banner advertisements on a webpage, but it can also block advertisements in unconventional locations, such as on Android, iOS and smart TVs.
Does Pi-hole block malware? ›Pi-hole is a great software to block DNS resolution based on curated ad- and malware-blocklists.
Does Pi-hole block trackers? ›Pi-hole is a general purpose network-wide ad-blocker that protects your network from ads and trackers without requiring any setup on individual devices. It is able to block ads on any network device (e.g. smart appliances), and, unlike browser add-ons, Pi-hole blocks ads on any type of software.
What are the list of domains to block? ›There are three main public domain blacklists: Spamhaus, SURBL, and URIBL.
Can Pi-hole be used as a VPN? ›Via this VPN, you can: use the DNS server and full filtering capabilities of your Pi-hole from everywhere around the globe. access your admin interface remotely. encrypt your Internet traffic.
Who competes with Pi-hole? ›Beats, Wireshark, LibreNMS, PRTG, and Nagios XI are the most popular alternatives and competitors to Pi-hole.
Does Pi-hole still work in 2022? ›It was superseded by Debian Buster on 2019-07-06. Stretch received Long-Term-Support since 2020-07-06 but only until 2022-06-30. It cannot be considered safe to continue running Stretch and, hence, Pi-hole dropped Stretch support – now also for the pre-compiled binaries.
How do I add blocklist to pfBlockerNG? ›Using the Blacklist/Whitelist TLD
After installing pfBlockerNG go to “Firewall -> pfBlockerNG”. Then select DNSBL. In this step enable the DNSBL option. Then use “DNSBL Mode” for the direction you plan to block.
The interface for adding DNS records is straightforward. Enter the local domain you wish to create a record for where it says DOMAIN and the IP address associated with the domain where it says IP ADDRESS then click ADD.
How do you customize a Pi-hole? ›- In terminal, run sudo nano /etc/pihole/pihole-FTL.conf.
- If you do not have this file, create a file with the same name in the same path. ...
- Restart the PiHole-FTL service: sudo service pihole-FTL restart.
- Next, edit lighttpd.conf file: sudo nano /etc/lighttpd/lighttpd.conf.