Avoid The Hack: The Best Pi-Hole Blocklists (2023)
This post was originally published on 26 APR 2021; it has since been updated and revised.
If you're looking for solid blocklists for your PiHole, then we have a collection of mega-blocklists for you right here.
We also have some words of wisdom to share when it comes to using these blocklists.
Don't have a Pi-Hole set up? Then you can follow the ATH guide to setting up a Pi-Hole on your network.
Picking your blocklist(s)
Use these points as a helpful reference for picking what blocklists you want to use for your PiHole.
1. Consider your "threat" model
In this specific case, you'll want to ask yourself two questions:
- What do you want to block? (Malware domains, Advertising, Trackers, Telemetry, Parental Control, etc)
- What are your reasons for blocking it? (AKA: Why?)
For example, are you...
- Wanting to block excessive device telemetry because constant requests are slowing down your network?
- A parent wanting to block malware and adult-content related domains network wide (irrespective of device) because you don't want your kids visiting such sites?
- Wanting to block intrusive ads across your entire home network because you're tired of targeted and privacy invading ads?
This isn't to say that you need specific justification for blocking certain things via PiHole, but it's definitely important to consider what you need blocked and for what reason. You'll want your PiHole to be efficient and provide the most benefit for you and your network.
Additionally, when you take into things like basic device functionality into account, you'll find that just blocking "everything" is often times not feasible.
Blocking everything usually means many things tend to break, and some devices/services/websites become totally unusable/inaccessible if you go for a "nuke everything" approach.
2. Consider devices on your network
You'll want to heavily consider just what devices run on your home network.
How many devices are connected to your Wi-Fi? What types of devices are these? Keep in mind that many "Smart devices" may connect to your home network.
Some of these might include...
- Gaming consoles (ex: Xbox)
- Smartphones (ex: iPhone)
- Smart watches (ex: Garmin's smart fitness trackers)
- Tablets (ex: iPad)
- Smart TVs
- Streaming devices/sticks (ex: Roku)
- Smart appliances (ex: "Smart fridges")
For example, while you may wish to block your Windows 10 PC from sending a ton of information (AKA telemetry) to Microsoft, it might not be beneficial for you to block every request related to known Microsoft domains (such as microsoft.com or things served with their cloud platform, Azure.)
Doing so could adversely affect the functionality of your device, such as receiving critical updates to crucial services and/or updating the operating system itself.
For example, if you go as far as to block things related to its Azure cloud platform, you can go as far as breaking certain websites that rely on Azure for all devices on your network. The process of steadily "unbreaking" everything can be frustrating and time-consuming for many users. Quite frankly, finding out where things went wrong isn't fun or conducive for people who want something that just works.
What's more is that when you consider your devices, you should also consider some of the internet-connected services they might use...
For example, if you're an avid streamer, then you may not want to blindly block everything reaching out to a hulu.com related domain - else you won't be able to launch and watch hulu on your home network.
Likewise, if you're an console gamer, you might not want to totally blacklist all domains associated with Sony, Microsoft, or Nintendo - or else your console might not function properly in some areas, such as online gaming or recording achievements.
This isn't to say that you can't block some requests to microsoft.com or hulu.com, just that you may not want to blacklist the entire domain or everything associated with it.
3. More is not always better
Say it with me: More. Is. Not. Always. Better.
Listen, I know that the resources linked here have a ton of blocking lists.
I also know that some of these blocking lists are huge.
It may be tempting to use each and every blocklist found here or elsewhere. However, I'm strongly advising you not to do that.
You see, many of these blocklists borrow from each other. Because of this, if you use all of them, you'll find yourself with a lot of overlap and needless redundancy.
Redundancy reduces efficiency and wastes resources. Additionally, the more lists you use, then the more likely you are to run into false positives, which can really be a pain in the ass to deal with.
Remember: a "nuke everything" approach is not necessarily the best approach here. Overall, you want to find a balanced solution that both increases your level of privacy while maintaining good functionality.
In fact, in some cases, you may find that the stock blocklist fits your personal needs, which is perfectly fine. More is not always better - remember that!
4. Don't be afraid to Whitelist
If you plan on running an aggressive blocking set up, then you shouldn't be afraid to whitelist certain domains.
It seems counterintuitive but here is the logic... the more "aggressive" you are with blocking, then the more likely (legitimate) websites/services are to break. Aggressive blocking can also increase the frequency of false positives.
This doesn't necessarily mean that you have to be any less aggressive in your blocking - especially if your threat model calls for it or you don't mind dealing with breakage. However, to maintain functionality you might want to take care by whitelisting domains that totally break things when blocked.
When you whitelist those blocked domains that cause substantial breakage, you can more easily continue to run aggressive blocklists. However, you should be forewarned that you'll need to stay on top of updating your whitelist, as these domains can readily change.
For example, a whitelisted domain can become obsolete by either not resolving or having whatever crucial service it was providing moved to another host (with a different domain.) Perhaps you no longer have a device/app that requires the whitelist.
You may also find that your whitelist grows with time. This can be due to a number of different factors, not limited to:
- the addition of new devices on your network
- new updates
- additional apps on your devices
If you weren't aware already, PiHole comes out-the-box with an optional blocklist:
This blocklist is well maintained and provides good blocking functionality without breaking normal functionality. For some it might be enough, but users often find they want to add their own custom lists for enhanced blocking capabilities.
However, if there comes a time where you need or want to delete your accumulated blocklists and/or restore the "default" blocklist...
To remove existing blocklists, run this command in Terminal:
sudo sqlite3 /etc/pihole/gravity.db "DELETE FROM adlist"
To restore the default blocklists, follow the steps outlined on the PiHole discourse forum.
The Firebog (WaLLy3k)
The lists found at The Firebog are separated several ways. First, the lists are separated into categories:
- Tracking & Telemetry
Then, they're separated into green and blue. Green is the least likely for breakage, whereas blue lists are more likely to break things.
I personally recommend using 1 to 2 blocklists from the Advertising, Tracking & Telemetry, and Malicious sections.
You should avoid the crossed out lists. Feel free to experiment mixing the more aggressive "blue" lists with the less aggressive green ones.
For many users, the categories and green/blue lists found here should cover what you need and/or want your PiHole to block.
(Personally, I use the AdGuardDNS, Threat-Intel, and SmartTV lists. Use
CTRL+F on the Firebog page to find them.)
Developer Dan (lightswitch05)
Most users will want to checkout the Ads & Tracking list and the Google AMP hosts list. You can experiment with the Tracking Aggressive as well.
These lists are well maintained and updated very frequently.
Personally, I use the Tracking Aggressive list and found it fits the bill for good blocking and functionality. A lot of users have noticed breakage when using this list, so please be prepared to remedy rectify if breakage occurs in your own use of this particular blocklist.
As always, consult your own needs and threat model when choosing which blocklists to use!
This project lists a variety of lists for easy tailoring to user's blocking needs. These lists can be used in any combination and are definitively supported in Pi-Hole and AdGuard Home.
Most users will want to check out the Advertising, Tracking, and Malware lists. Users looking for more protection could also look at the Phishing, Fraud, and Scam lists.
Social Media focused lists, such as the Facebook, Twitter, and TikTok lists aim to block domains/hosts known to be associated with these social media platforms, regardless of purpose.
Depending on other needs - such as parental control/content moderation needs - users can also check out the list types blocking dubious activities and content (whether legal or not), such as gambling.
Lists here are well maintained and updated frequently. The contributors behind this project are constantly adding new list categories and types, as well as quickly processing removal and addition requests.
OISD Domain Blocklist
This list comes in 3 main flavors: Basic, Full, and Not Safe For Work (NSFW).
While this list is big and incorporates many other lists, it remains controversial in the Pi-Hole community. Please use at your discretion.
Basic primarily blocks advertisements whereas Full contains everything from advertisements, malware, scam/phishing, telemetry, tracking, etc. Additionally Full includes everything from the Basic and NSFW lists.
The Full list is massive and incorporates a ton of smaller blocklists. If you run this one, chances are you won't need to run any other lists as there will be a lot of needless overlap.
The NSFW list blocks domains that are known to host pornographic content not limited to known porn streaming/downloading sites.
However, this results in you having to place a lot of trust in a single party. You also will not be able to assign different lists , which negates the "Group management" feature of PiHole. Group management has the capability of applying different blocking rules to different user-defined "groups."
The OISD lists are updated approximately every 24 hours.
Pi-Hole features RegEx (regular expression), which can create more complex filter rules for your Pi-Hole set up. This is often described as an "advanced" function, but any user can take the time to learn how to properly write RegEx entries.
RegExes are actually used in a variety of applications -- not just Pi-Hole. Perhaps the main purpose for RegEx is for filtering, most notably while performing a search. The search function (CTRL + F) in your browser is an excellent example of RegEx filtering as a search function; the page gets "filtered" based on what you input into this search function.
So, naturally that begs the question: How does RegEx apply to Pi-Hole specifically? Generally speaking, Pi-Hole uses RegEx rules to filter domains. The domains that "hit" on your RegEx rules can be either blocked or whitelisted. The RegEx entries function alongside your blocklists.
The key to using RegEx with your Pi-Hole is not to be too general or broad. With RegEx, specificity is good. General rules exponentially increase the likelihood you'll run into false positives or significant breakage in usability. Ideally, you'd use a recommended RegEx list like below versus creating one from scratch; but as always, if your threat model calls for it, feel free to edit as you see fit!
A highly recommended RegEx list can be found on GitHub: Recommended RegEx list
Learn to create RegEx entries for your Pi-Hole with the official documentation: More info on RegEx
While Pi-Hole is a solid tool for blocking ads, especially on a home/small network, it is certainly not the definitive end all for blocking ads. There are many ways to block ads, trackers, and malware. Fortunately, many other ways of blocking ads and trackers work well when paired with a self-hosted network blocking solution like Pi-Hole.
uBlock Origin is an open-source and trusted tracker blocker plugin for browsers. It is highly recommended in the privacy community. Generally, it is recommended to install uBlock Origin on a browser even if using network-wide adblocking software like Pi-Hole.
It is possible to block ads, trackers, and known malware domains on the browser, device, and network levels simultaneously; additionally, there are different ways to accomplish this on the various levels. Avoidthehack likes to call this "blocking-in-depth," which is a play off cybersecurity concept, Defense-in-Depth.
Pi-Hole generally requires an upstream DNS server to pass DNS requests off. While users can self-host a local recursive DNS resolver like Unbound, this may not always be feasible. Users can pair Pi-Hole with an upstream domain filtering (blocking) and encrypted DNS service.
With that said, happy blocking and as always, stay safe out there!