All-in-One DNS block list
github.comHow to make a block list:
1) Find a bunch of high-quality block lists on the internet which have been painstakingly curated my their maintainers for many years
2) Combine it all into one big list. Tell everyone that you will quickly whitelist any domains if they are causing breakage.
3) Once enough people start using your list, get an advertiser to pay you to silently remove their domains. If anyone notices, just say it was to fix breakage on some obscure site.
I’m not saying that Energized or StevenBlack are doing step 3, but please realize that there are issues with using lists like these. Even if they aren’t getting paid, they might still have some undesirable whitelisted domains. They also deprive the original block list maintainers of views (meaning they might be less inclined to continue maintaining them). You also won’t receive updates from the lists as quickly because of the middle man.
If you are using Pi—hole, OPNsense, or any other tool which can run multiple block lists simultaneously, I recommend taking a look at https://firebog.net for a list of original-source block lists.
I can see how it might seem that way — I'm Steven Black.
I can point to thousands of combined...
* issues https://github.com/StevenBlack/hosts/issues?q=is%3Aissue+is%...
* ...pull requests... https://github.com/StevenBlack/hosts/pulls?q=is%3Apr+is%3Acl...
* ... and commits https://github.com/StevenBlack/hosts/commits/master
...that indicate, it's not so easy.
The sources we use are all vetted. Some sources are remarkable in terms of activity, and responsiveness to problems as they occur.
Overall I think this area is far more dynamic than many realize. Some good people curate the lists we carry.
I don’t mean to belittle your project -
Consolidated block lists like yours are still important for people who are using the traditional etc/hosts file. I believe the Pihole project would like to focus more on the software and less on the block lists - so they include your list, which has a good track record of vetting sources and responding to issues. I also appreciate that your project has produced its own original block lists (which happen to be included on the Energized list and firebog.net).
I just wish more people would use the original source when possible.
I dislike this Energized list, partly because I had a bad experience using one of their non-primary lists which wasn’t well maintained, and partly because their website (https://energized.pro/) makes it sound like a commercial product.
This repo has a 3-week track record, by one contributor.
Disclosure: Some of us have been actively curating such amalgamated lists for a long time. https://github.com/StevenBlack/hosts
It has been around for a while, and is quite popular, especially in the Android community.
On April 23, GitHub disabled the repository. Exact reasons are unknown.
The repository was then deleted and recreated.
I have been using your lists for years, and is the first thing I install on all my machines. Thank you so much for your good and tireless work!
Thank you for your contribution. I have a few PfSense/OPNSense deployments that leverage your list. Works great!
Thank you! I use your blacklist on all my devices.
What are the dangers of using a sketchy blocklist?
(I'm wasn't implying the EnergizedProtection is sketchy...)
The essential problem is, without active curation, source lists can't quickly react to emerging threats.
Without active curation, source lists become add-only buckets where domains land, and are rarely removed, long after they are abandoned.
The soft option is to simply cumulate domains. We've seen candidate block lists grow from 350,000 domains to 750,000 domains. These are just endless one-way buckets. Use that as your Android phone's hosts file, or you Windows PC hosts file, and you're going to have a bad time.
At the edges, there are myriad grey areas. We can all agree that YouTube serving ads is painful. But what about Youtube retaining your viewing history, which some people find very useful and handy. Over the years we've often had discussions such as this. This is what it means to actively curate.
I'm no expert, but the most obvious answer is "you MITM yourself".
If there is a userbase for a list, they have to trust the list to not filter out domains that shouldn't be filtered. I have a hard time thinking how this could lead to hidden repercussions, other than some security flaw that is only exploitable when some subset of requests go through.
Perhaps they can point a particular host to a malicious IP rather than "0.0.0.0". In a list of several hundred thousand domains, you wouldn't be able to notice this manually.
ex., make Bank of America resolve to a phishing site rather than the real BoA IP.
Pi-Hole and others might check for this though, I don't know.
Back before security fatigue set in, I would filter the lists through my own sanity checks for this sort of thing (never found a single one amiss after years) then point my clients at my vetted lists.
I am under the impression that the blocklist programs (such as ublock origin or pi-hole) do not have an option to redirect to anything other than the void. I can only see downsides to allowing this.
Actually ublock-origin has some options to replace Javascripts with custom (presumably less intrusive) scripts. Although I don't think 3rd party lists can do this.
Anyway the repository in this post also provides host files, which most definitely can redirect you to malicious IPs.
Edit: Turns out 3rd party block lists can use the redirect feature but only to Ublock Origin managed resources: https://github.com/gorhill/uBlock/wiki/Resources-Library
> ... do not have an option to redirect to anything other than the void.
Pi-hole uses dnsmasq [0], a caching DNS resolver (among other things), and includes its own customized configuration files for it.
With that level of control, Pi-hole has the ability to redirect you anywhere on the Internet that they want.
We all hope that the folks behind Pi-hole would never do such a thing -- but they do have the "option".
---
HTTPS should protect you from that.
I added a random blocklist to my pihole once and found it was blocking random sites like Gizmodo purely based on politics
I have been using NextDNS with a few block lists configured at the router level and device level.
The internet experience has improved a lot since ads and trackers are blocked system wide.
A few block lists that I would recommend:
1. Steven Hosts - https://github.com/StevenBlack/hosts
2. Adguard DNS - https://github.com/AdguardTeam/AdguardSDNSFilter
3. disconnect.me
The amount of DNS requests made silently in the background is astonishing across all devices.
I'm also using NextDNS and one thing that's a huge boon for me is that the default free tier covers my use case insanely well. Given the statistics for the last 3 months I seem to consistently fly under the free tier limit but if I ever do hit it, it will just default back to a regular DNS. A very user-friendly approach and I hope they keep it as they grow.
The other option would be to pay them. :) It's great service and pretty inexpensive, why not support them?
Agreed. They couldn't take my $20 fast enough. Such a great service.
Not gonna claim to know the situation of the folks you're replying to. And Im not gonna pretend these organizations operate for free - if you can reasonably afford it? Supporting them is a great patriotism / praxis / etc for internet denizens.
But I will say this - advertising and tracking has a long, storied history of being a malware infection route. The great boon for all of us from a free-tier DNS-filter service is the additional layer of virus and information protection.
Protecting each other, even inexperienced, or low-budget users? Is the best thing we can do to slow the propagation of malware and institutional information leeches. This in turn protects even the servers of potentially ill-informed or budget-constricted server admins.
We are dealing with internet epidemiology. Free-tier "covid masks" / DNS filters preserve more health than simply for the users actively participating. We have to be in this together, or we will watch each other sink.
Thank you for your time, and sorry for the longwinded Lefty- "Dwight Schrute"-ing. But this entire disclaimer felt necessary to me.
<<The amount of DNS requests made silently in the background is astonishing across all devices.
I still remember seeing the log for the first time. It is very radizalizing.
Energized Protection actually included them all, so you don't need to add them one by one, and nextdns supports it!
Me too! It's blocking a whopping 25%-30% of all requests without a single negative change in my browsing comfort.
I really want to use it but it blocks Spotify playlist links when I try to open them from Reddit.
Check your Nextdns.io logs and see what gets blocked. Then add the blocked domain (or the whole root domain) to the Whitelist. The whitelist always overrides any blocklist entry.
On Apple devices it’s as easy as toggling a switch to temporarily disable it. Not perfect but easy enough. Still trying to figure out a similar solution on Linux...
They added a new setting recently to allow affiliate links like those used for tracking which might include this, try it out.
If your really want to use it you should try diving into what blocklist is causing the block OR whitelist the URL.
I really appreciate projects like this because I'm sure keeping these lists up-to-date is not an easy task, and many people benefit from the efforts.
That said: maybe it's just me, but I find their website[1] a bit...strange?
It looks like one of those SAAS startup landing pages, you can pick your "pack of block list" ranging from "Tru lite" to "XTreme" etc...
Or maybe it's supposed to be ironic and I just don't get it :) [1] https://energized.pro/
Ironically their website doesn't work if you block 3rd party JS due to Cloudflare.
I abandoned NoScript because I felt like I spent more time whitelisting JS than browsing the web and other people just couldn't borrow my browser.
NoScript really needs the ability to whitelist a TLD for providers like cloudflare.
They do? You can globally whitelist urls
The issue for Cloudflare is whitelisting the DDoS protection script included on each page. It's under a lot of URLs so it would have to be content-based.
> Let's make an annoyance free better open internet, altogether!
As a part-time grammar Nazi, there are several things here that annoy the hell outta me!
After reading that, I had to quickly abort and close the tab.
Looks like my lists are intended to be included, but it was linking to the raw Github source instead of the hosted Github pages version. I went through a major refactor 21 days ago that moved my sources lists around a bit - but preserved the links that are supplied all over the README and the Github hosted pages. So, not only is the project linking to the wrong place, but my list has been broken in it for 21 days now without notice.
Its fine that people love creating these massive all-in-one lists. But I recommend just using the sources directly. That way, if a list gives you trouble, you know who to open a ticket with, or just disable that specific list if its too aggressive for your tastes.
I am pretty happy with https://www.reddit.com/r/oisd_blocklist/ as a All-in-One Solution ...
I use this with my Pi-Hole. Works very well. Along with a few other lists the Pi-Hole blocks about 30% of requests with almost no changes on the user end.
Not bad too! But I really prefer opensource solution more, at least we know how it builds. Because in theory the list can be used for DNS hijacking
Fundamentally D.N.S is a naming system but each site has a separate naming system via user names.
Something like this should also be applicable for social networks as well. I found this for twitter - https://blocktogether.org/ not sure if it is possible for others like facebook.
Also a ref to: https://github.com/notracking/hosts-blocklists
They have a public whitelist and updates are pushed on a daily basis.
Is there any tools out there that I can use to generate my own aggregated lists from a set of other blocklists?
Ideally it leverages things like GitHub Actions (or another CI tool) + GH Pages/GH releases/Netlify to relief the burden of having to host it myself.
The reason for this is so that I can use NetGuard, which allows for only 1 blocklist. Currently I'm flipping between Blokada and DNS66 because they allow for multiple lists.
I've been using blockslists from a couple github repositories for a long time, heck probably since they were found on regular web pages.
They work pretty good, but can be a little cumbersome to turn off or to enable certain domains from time to time (such as when a site has so many ads it breaks the site). But the increases safety and speed while surfing is well worth it.
Some other blacklists here: https://github.com/dnscrypt/dnscrypt-proxy/wiki/Public-black...
Along with a script that aggregates data from multiple lists, removes duplicates/overlaps, whitelists, etc.
right now I actively using https://doh.tiar.app maintained by my friend https://twitter.com/pengelana/
Alternative client to update your hosts file: https://github.com/goldfix/pigHosts
This list can be used on Android or iOS by downloading the Blokada app
Very cool, I’m gonna try this out with PiHole.
Are there any Firefox, Ubuntu ppl around? Can you guys bake this stuff (host blacklists) into browser, os autoupdates?
If you're familiar with *nix stuff I'd suggest just run a pi-hole.
if youre not familiar I would suggest it too :)
I've gotten a few friends started on pi hole and ended up with minecraft servers, free nas, kodi, and retropi
You can use hblock auto-update host lists on Ubuntu and other Linux distributions. https://github.com/hectorm/hblock
Use DNSCrypt-proxy.