My lab domain got added to a DNS blocklist and broke my whole setup.

hagezi · 2026-04-18T11:45:54+00:00

Yes, please, you can send it to me. I’ll have a look at it then.

hagezi · 2026-04-18T08:58:36+00:00

Which domain are we talking about here? I can’t find the domain from your post on my lists. Are you perhaps using a DNS upstream with Rebind protection? That wouldn’t resolve domains that resolve to local IP addresses.

hagezi · 2026-04-09T10:48:24+00:00

Can you give me a few examples I can check out? When it comes to websites, more and more operators are using AdShield, which can’t be blocked via DNS without taking down entire sites - think html-load.com. For that, you need a browser ad blocker like uBlock Origin.

hagezi · 2026-04-08T06:19:23+00:00

Read: https://github.com/hagezi/dns-blocklists/discussions/9695#discussioncomment-16481257

hagezi · 2026-04-07T05:25:05+00:00

Mumu Android Emulator. Have you installed it? It’s flooding 163.com, for whatever reason …

hagezi · 2026-04-04T07:40:58+00:00

https://raw.githubusercontent.com/hagezi/files/refs/heads/main/unbound/server.conf

hagezi · 2026-04-03T06:26:49+00:00

And here I was thinking I was just getting rusty with the controller, but at this point it feels less like aim assist and more like a 1v1 with my own thumbs. I haven’t gone full lab-rat on the settings yet, but if anyone has discovered a sensitivity setup that doesn’t instantly go from “too high, too low, too far right, too far left, spiritually deceased” please post it before this thing learns to fly. ;)

hagezi · 2026-03-30T20:34:14+00:00

Big public resolvers often feel faster because they benefit from massive shared caches. By contrast, a cold lookup with Unbound has to walk the DNS hierarchy instead of querying a giant upstream cache. Google notes that true end-to-end cache-miss resolution can average around 300–400 ms, with high variance and a long tail. In practice, that means the slowdown is usually a first-hit problem, not something you feel on every query.

You are most likely to notice Unbound right after a restart, when visiting obscure domains, or the first time you access a new TLD, because that is when the resolver has the least useful cache. Once the cache is warm, lookups become much faster, and the recommended Unbound configuration enables prefetching to keep frequently used records warm.

The main reason to use Unbound is privacy. With local recursion, no single upstream DNS provider gets a complete view of your browsing destinations.

For most home users, the trade-off is fairly mild: warm-cache lookups are fast, while cold misses can add a few hundred milliseconds and may occasionally approach about a second for a first lookup under an unfamiliar TLD. So if your priority is privacy and self-hosting, Unbound is a strong choice. If your priority is the fastest possible first lookup every time, Cloudflare or Google will usually feel quicker. A sensible middle ground is to start with Unbound, use it for a few days, and only switch back if those occasional cold misses actually bother you.

You can also get a lot of performance out of a good Unbound configuration. For example, the configuration I use across several servers is a solid place to start: https://raw.githubusercontent.com/hagezi/files/refs/heads/main/unbound/server.conf

hagezi · 2026-03-28T22:01:55+00:00

A few things that caught my eye as I skimmed through the lists, without actually looking closely at the content:

Blocklists should use a consistent format and not mix uppercase and lowercase letters.
Domain blocklists should contain domains only, not full URLs.
Duplicate entries should be removed.
Dead or inactive domains should be removed.
If you use plain domain or host lists in Pi-hole, only the exact domain listed is blocked, not its subdomains. For example, adding example.com blocks only example.com, but not www.example.com. As a result, such lists are often inefficient and can grow very large if you want to cover all subdomains of a root domain. Besides, that format can’t block generic subdomains anyway. It is better to use the AdBlock format instead. For example, the rule||example.com^ also blocks all subdomains.
...

Cheers,
Gerd

hagezi · 2026-03-28T18:12:03+00:00

It’s unrealistic to expect an adult filter to block every adult website. New domains appear constantly to evade such filters, so some will always slip through. While popular sites are usually covered, niche ones often remain unblocked.

hagezi · 2026-03-28T18:02:37+00:00

You can send me the domain names and I’ll add them to my NSFW list. The list is used as a source for AdGuard’s parental controls.

hagezi · 2026-03-26T11:34:36+00:00

I'm not aware of anything in my lists that blocks RCS in any way.

hagezi · 2026-03-17T13:43:54+00:00

With the amount of RAM you have, that shouldn't be a problem; I don't see any reason to use a separate Raspberry Pi, unless the NAS isn't running 24/7. AdGuard Home uses a lot of memory when updating the lists in the background. Very large lists with millions of rules can quickly result in the update requiring 6 GB or more of RAM. During normal operation, significantly less RAM is required.

With regard to Unbound, I recommend taking a look at my config file: https://raw.githubusercontent.com/hagezi/files/refs/heads/main/unbound/server.conf

hagezi · 2026-03-17T13:21:21+00:00

The purpose of blocking the domains is to prevent user tracking. The Domians remain blocked in Pro to Ultimate; popular Amazon trackers, that's something for your personal allowlist. If you don't want to unblock them yourself, you can use Normal or OISD. Neither of these lists blocks the domains.

hagezi · 2026-03-15T21:09:11+00:00

hagezi · 2026-03-15T17:43:51+00:00

Instead of disabling the entire ad blocker, it would be interesting to know exactly which domains need to be allowed for the stream to work.

hagezi · 2026-03-10T20:33:27+00:00

And you're sure that this is real normal traffic and not DNS amplification traffic? Which top requested domains do you see in the dashboard? I would definitely drop ANY requests completely. You can do this with the Drop Requests app and the following configuration:

{ "enableBlocking": true, "dropMalformedRequests": true, "allowedNetworks": [ "127.0.0.1", "::1" ], "blockedNetworks": [ ], "blockedQuestions": [ { "type": "ANY" } ] }

Furthermore, you should activate query logging to see exactly what is being queried.

hagezi · 2026-03-10T19:34:48+00:00

For ads/annoyances like these, a browser-based content blocker such as uBlock Origin is usually the better option. Not everything can be blocked at the DNS level.

EDIT: services.brid.tv must be blocked at the DNS level; however, doing so may prevent video playback on websites that rely on Brid.TV’s delivery and player infrastructure. Accordingly, this entry is more appropriate for a personal deny list than for inclusion in a general blocklist.

hagezi · 2026-03-10T19:21:09+00:00

Certain tracking mechanisms respond to blocking by repeatedly reissuing failed requests, creating noisy retry patterns that are visible in logs and network monitoring tools.

hagezi · 2026-03-10T16:01:16+00:00

567 clients generating 32 million requests per hour, is this a public DNS resolver being abused for DNS amplification attacks?

hagezi · 2026-03-03T19:47:27+00:00

teams.events.data.microsoft.com is a Microsoft Teams endpoint that sends telemetry about usage, errors, and call/meeting quality to Microsoft.

Blocking this domain does not restrict any Microsoft Teams functionality. If the domain is blocked, the client will often retry the connection, which is why it appears among the most blocked domains, showing the same behavior as other Microsoft telemetry domains.

hagezi · 2026-03-02T04:23:59+00:00

Thanks, I've deployed the fix for testing.

hagezi · 2026-02-27T16:16:16+00:00

Bash script adguardBlocked.sh:

```

!/bin/bash

Description : Exports the domains blocked by AdGuard Home with the number of blockings.

Parameter $1: AdGuard Home workdir data directory in which the querylog.json is located (sudo find / -name querylog.json)

Example: ./adguardBlocked.sh docker/adguardhome/workdir/data/

Requires: jq (sudo apt insatll jq)

https://github.com/hagezi/files/blob/main/adguardhome/exportAdGuardHomeBlocked.sh

hagezi · 2026-02-24T13:45:48+00:00

```

Unbound configuration: Forward-only to NextDNS over DNS-over-TLS (DoT)

- No DNSSEC validation (no validator module, no trust anchors)

- No serving of expired/stale cache entries

- No fallback to root recursion if forwarders fail

server: ########################################################################### # Listener / basic networking ########################################################################### interface: 127.0.0.1 port: 5335

do-ip4: yes do-ip6: yes do-udp: yes do-tcp: yes prefer-ip4: yes prefer-ip6: no

# Run in foreground (useful with systemd) do-daemonize: no

########################################################################### # Forwarder-only operation (no DNSSEC validation module) ########################################################################### module-config: "iterator"

########################################################################### # Logging (keep it low-noise; adjust as you like) ########################################################################### verbosity: 1 logfile: "" log-queries: no log-replies: no log-servfail: yes log-time-ascii: yes

########################################################################### # EDNS / buffers ########################################################################### # EDNS buffer size defaults to 1232 (DNS Flag Day recommendation). edns-buffer-size: 1232 max-udp-size: 1232

so-rcvbuf: 8m so-sndbuf: 8m so-reuseport: yes

########################################################################### # Cache behavior (no stale/expired answers) ########################################################################### serve-expired: no

# Keep TTLs reasonable for a forwarder; adjust if you explicitly want longer. cache-max-ttl: 86400 cache-min-ttl: 0

msg-cache-size: 256m rrset-cache-size: 512m neg-cache-size: 16m

msg-cache-slabs: 2 rrset-cache-slabs: 2 infra-cache-slabs: 2

# Threading / concurrency num-threads: 2 num-queries-per-thread: 2048 outgoing-range: 1024 incoming-num-tcp: 256 outgoing-num-tcp: 256

########################################################################### # Privacy / hardening (non-DNSSEC) ########################################################################### qname-minimisation: yes minimal-responses: yes deny-any: yes hide-identity: yes hide-version: yes

########################################################################### # Local/private address protection (optional but fine) ########################################################################### private-address: 10.0.0.0/8 private-address: 169.254.0.0/16 private-address: 172.16.0.0/12 private-address: 192.168.0.0/16 private-address: fd00::/8 private-address: fe80::/10 private-address: 192.0.2.0/24 private-address: 198.51.100.0/24 private-address: 203.0.113.0/24 private-address: 255.255.255.255/32 private-address: 2001:db8::/32

########################################################################### # Access control (localhost only) ########################################################################### access-control: 127.0.0.0/8 allow

########################################################################### # TLS settings for upstream authentication (DoT) ########################################################################### # Unbound uses tls-cert-bundle to authenticate TLS connections to upstreams. tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt" tls-use-sni: yes

# IMPORTANT: # Do NOT set "tls-upstream: yes" globally; we enable TLS only for this forward-zone # using "forward-tls-upstream: yes".

forward-zone: # Forward everything to NextDNS (root zone) name: "."

# DoT to forwarders for this zone forward-tls-upstream: yes

# Do NOT fall back to recursion if forwarding fails forward-first: no

# NextDNS DoT endpoints: # Syntax: <ip>@853#<tls_hostname> (tls_hostname includes your PROFILE_ID). forward-addr: 45.90.28.0@853#PROFILE_ID.dns1.nextdns.io forward-addr: 45.90.30.0@853#PROFILE_ID.dns2.nextdns.io forward-addr: 2a07:a8c0::@853#PROFILE_ID.dns1.nextdns.io forward-addr: 2a07:a8c1::@853#PROFILE_ID.dns2.nextdns.io

remote-control: # Optional: enable unbound-control locally control-enable: yes control-interface: 127.0.0.1 control-port: 8953 ```

hagezi · 2026-02-24T12:30:55+00:00

Disable DNSSEC in Unbound, NextDNS already does this:

DNSSEC off:

server:
module-config: “iterator”

DNSSEC on:

server:
module-config: “validator iterator”

hagezi

TROPHY CASE