DNS-based content filtering is one of the most effective ways to block ads, trackers, malware domains, and unwanted content across your entire network. By maintaining and curating DNS blocklists, you control exactly what gets filtered without relying on third-party services. This guide compares three popular self-hosted DNS blocklist management platforms: Pi-hole, AdGuard Home, and Technitium DNS Server.

Why Manage Your Own DNS Blocklists?

DNS blocklist management gives you granular control over what domains are blocked on your network:

  • Privacy: Block telemetry, analytics, and tracking domains before they collect data
  • Security: Prevent connections to known malware, phishing, and command-and-control domains
  • Bandwidth savings: Block ads at the DNS level, reducing bandwidth consumption by 10-30%
  • Content filtering: Block adult content, gambling, and social media for specific networks
  • Transparency: See exactly what is being blocked and why, with full query logging
  • No subscription fees: Open-source blocklist management costs nothing to run

1. Pi-hole

Pi-hole is the most widely deployed DNS-based ad blocker, designed originally for Raspberry Pi but now running on any Linux system.

Key features:

  • Gravity database: SQLite-based blocklist with millions of entries
  • Group management: Assign different blocklists to different client groups
  • Regex filtering: Block domains using regular expression patterns
  • API access: Full REST API for automation and integration
  • Large community: Extensive documentation, forum, and third-party blocklists

Docker Compose Setup

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

version: "3.8"
services:
  pihole:
    image: pihole/pihole:latest
    container_name: pihole
    ports:
      - "53:53/udp"
      - "53:53/tcp"
      - "80:80"
      - "443:443"
    environment:
      - TZ=UTC
      - WEBPASSWORD=admin_secret
      - DNSMASQ_LISTENING=all
    volumes:
      - ./pihole-data/etc:/etc/pihole
      - ./pihole-data/dnsmasq:/etc/dnsmasq.d
    cap_add:
      - NET_ADMIN
    restart: unless-stopped
    networks:
      - dns:
        ipv4_address: 172.20.0.2

networks:
  dns:
    driver: bridge
    ipam:
      config:
        - subnet: 172.20.0.0/24

Blocklist Management via CLI

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

# Add a blocklist
docker exec pihole pihole -a -r

# Update gravity database
docker exec pihole pihole -g

# Check blocklist count
docker exec pihole pihole-FTL --config dns.blocklist.adlists

# Query the gravity database
docker exec pihole sqlite3 /etc/pihole/gravity.db   "SELECT COUNT(*) FROM gravity;"

# Add custom domain
docker exec pihole pihole -b blocked-domain.com

Pi-hole Blocklist Sources

Pi-hole ships with no default blocklists. Popular community-maintained blocklists include:

1
2
3
4
5
6

https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV-AGH.txt
https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/regex.list
https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADomains.txt
https://v.firebog.net/hosts/Easyprivacy.txt
https://v.firebog.net/hosts/Prigent-Ads.txt

2. AdGuard Home

AdGuard Home is a network-wide ad and tracker blocker with a polished web interface and advanced filtering capabilities.

Key features:

  • Advanced filtering syntax: Supports AdBlock, hosts, and custom filter syntax
  • Client-specific settings: Different filtering rules per device or subnet
  • Safe search enforcement: Force safe search on Google, Bing, YouTube, DuckDuckGo
  • DNSSEC support: Built-in DNSSEC validation
  • Encrypted DNS upstream: DNS-over-HTTPS, DNS-over-TLS, DNS-over-QUIC
  • Parental controls: Built-in adult content and safe browsing filters

Docker Compose Setup

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

version: "3.8"
services:
  adguard:
    image: adguard/adguardhome:latest
    container_name: adguard
    ports:
      - "53:53/udp"
      - "53:53/tcp"
      - "3000:3000"     # Setup wizard
      - "80:80"         # Admin interface
    volumes:
      - ./adguard-work:/opt/adguardhome/work
      - ./adguard-conf:/opt/adguardhome/conf
    restart: unless-stopped
    networks:
      - dns

networks:
  dns:
    driver: bridge

AdGuard Home Configuration (YAML)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

dns:
  bind_hosts:
    - 0.0.0.0
  port: 53
  upstream_dns:
    - https://dns.quad9.net/dns-query
    - tls://dns.adguard.com
  bootstrap_dns:
    - 9.9.9.10
    - 149.112.112.10

filters:
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt
    name: AdGuard DNS filter
  - enabled: true
    url: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
    name: StevenBlack Unified

querylog:
  enabled: true
  interval: 2160h
  size_memory: 10000

Managing Filters via API

1
2
3
4
5
6
7
8

# Get filter status
curl -s http://admin:secret@localhost/control/filtering/status | python3 -m json.tool

# Add a filter
curl -X POST http://admin:secret@localhost/control/filtering/add_url   -d '{"url":"https://example.com/blocklist.txt","name":"Custom List"}'

# Force re-filter (reload all lists)
curl -X POST http://admin:secret@localhost/control/filtering/refresh

3. Technitium DNS Server

Technitium DNS Server is a self-hosted DNS server with built-in ad blocking, recursive resolution, and authoritative DNS support.

Key features:

  • Built-in blocklists: Ships with multiple pre-configured blocklists
  • Recursive resolver: No need for separate upstream DNS
  • Authoritative DNS: Host your own DNS zones alongside blocking
  • DNS-over-HTTPS/TLS: Built-in encrypted DNS support
  • Cross-platform: Runs on Windows, Linux, macOS, Docker, Raspberry Pi
  • Web console: Full administration interface with real-time statistics

Docker Compose Setup

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

version: "3.8"
services:
  technitium:
    image: technitium/dns-server:latest
    container_name: technitium
    ports:
      - "53:53/udp"
      - "53:53/tcp"
      - "5380:5380"     # Web console
    volumes:
      - ./technitium-data:/etc/dns
    environment:
      - DNS_SERVER_DOMAIN=home.local
      - DNS_SERVER_ADMIN_PASSWORD=admin_secret
    restart: unless-stopped
    networks:
      - dns

networks:
  dns:
    driver: bridge

Blocklist Configuration

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

{
  "BlockListSources": [
    {
      "Name": "StevenBlack Unified",
      "Url": "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts",
      "Enabled": true
    },
    {
      "Name": "OISD Big",
      "Url": "https://big.oisd.nl/",
      "Enabled": true
    },
    {
      "Name": "EasyList",
      "Url": "https://easylist.to/easylist/easylist.txt",
      "Enabled": true
    },
    {
      "Name": "Malware Domain List",
      "Url": "https://www.malwaredomainlist.com/hostslist/hosts.txt",
      "Enabled": true
    }
  ]
}

API Management

1
2
3
4
5
6
7
8

# Get blocklist stats
curl -s "http://localhost:5380/api/stats?token=admin_secret"

# Update all blocklists
curl -X POST "http://localhost:5380/api/blocklist/update?token=admin_secret"

# Get blocked domain count
curl -s "http://localhost:5380/api/config?token=admin_secret" |   python3 -c "import sys,json; d=json.load(sys.stdin); print(d['Config']['BlockedHostsCount'])"

Comparison Table

FeaturePi-holeAdGuard HomeTechnitium DNS Server
Blocklist managementGravity DB + CLIWeb UI + APIWeb UI + JSON config
Filter syntaxhosts + regexAdBlock + hosts + regexhosts format
Group managementYes (client groups)Yes (per-device rules)Limited
DNS-over-HTTPSVia cloudflaredBuilt-inBuilt-in
DNS-over-TLSVia stubbyBuilt-inBuilt-in
Safe searchManual configBuilt-in enforcementManual config
Parental controlsVia blocklistsBuilt-in filtersVia blocklists
Recursive resolverVia dnsmasqNo (forwarding only)Built-in
Authoritative DNSNoNoBuilt-in
APIFull REST APIREST APIREST API
GitHub stars50,000+25,000+6,500+
Best forCommunity, extensibilityPolished UI, filteringAll-in-one DNS server

Choosing the Right DNS Blocklist Manager

  • Pi-hole — Best for users who value community support, extensive documentation, and the ability to customize every aspect of blocklist management. Its group system makes it ideal for environments with different filtering policies per client group.
  • AdGuard Home — Best for users who want a polished, modern web interface with advanced filtering syntax and built-in parental controls. The per-device filtering rules and safe search enforcement are unique differentiators.
  • Technitium DNS Server — Best for users who want an all-in-one solution that combines recursive resolution, authoritative DNS, and ad blocking in a single application. Its cross-platform support (including native Windows) is unmatched.

Why Self-Host DNS Blocklist Management?

Managing your own DNS blocklists puts you in control of what gets filtered on your network:

  • Privacy control: Third-party DNS filtering services (like Cloudflare for Families or Google Family Link) log your queries and make filtering decisions on your behalf. Self-hosting keeps query data local
  • Custom filtering rules: Create allowlists and blocklists tailored to your organization’s specific needs — block internal telemetry domains, allow business-critical services that commercial filters might block
  • No false-positive dependency: Commercial filters may block legitimate domains. With self-hosted management, you control the whitelist and can immediately unblock false positives
  • Transparency and auditing: Full query logs show exactly what was blocked, when, and for which client — essential for compliance and troubleshooting
  • Cost savings: Commercial DNS filtering services charge per-user or per-device. Open-source blocklist managers serve unlimited clients at zero marginal cost
  • Resilience: Your blocklist management continues working even when commercial DNS services experience outages

For DNS-over-QUIC setup, see our DNS-over-QUIC guide. If you need DNS firewall capabilities, check our DNS firewall RPZ guide. For DNS cache monitoring, our DNS cache statistics guide covers performance optimization.

FAQ

How many domains should my blocklist contain?

A typical effective blocklist contains 100,000 to 500,000 domains. The StevenBlack Unified hosts file (~100K entries) is a good starting point. Adding too many blocklists (>10 sources) increases the risk of false positives without significantly improving blocking coverage.

How often should I update my blocklists?

Update blocklists weekly or bi-weekly. Pi-hole and AdGuard Home can be configured to auto-update. More frequent updates provide diminishing returns — most blocklists are updated daily but changes are incremental.

Can I use different blocklists for different devices?

Yes. Pi-hole supports group management where you assign different blocklists to client groups based on MAC address or IP subnet. AdGuard Home offers per-device filtering rules with custom blocklist assignments. Technitium requires manual configuration but supports zone-level filtering rules.

What is the difference between hosts format and AdBlock filter syntax?

Hosts format is a simple domain-per-line list (0.0.0.0 ads.example.com). AdBlock syntax adds rules for specific URL patterns (||ads.example.com^$third-party) and element hiding (##.ad-banner). Pi-hole primarily uses hosts format, while AdGuard Home supports both formats natively.

How do I whitelist domains that are incorrectly blocked?

All three platforms provide whitelisting mechanisms. In Pi-hole: pihole -w example.com. In AdGuard Home: use the Whitelist tab in the web UI. In Technitium: add domains to the Allowed Hosts section. Whitelisted domains take precedence over all blocklists.

Does DNS blocklisting block all ads?

DNS blocklisting only blocks ads served from known ad-serving domains. It cannot block first-party ads served from the same domain as the content (e.g., YouTube ads, sponsored posts on social media). For those, browser-level ad blockers (uBlock Origin) are still needed as a complement to DNS-level filtering.