The Pi-hole_list project is an initiative that aims to lock down and secure the entire network through its own hardware. In this repository, it is installed via Docker®. Pi-hole® and Adguard Home® are DNS sinkholes that protect your devices from unwanted content without the need to install any software on client devices.
PROJECT | INSTALLER LINK | DEVELOPER LINK |
---|---|---|
Adguard Home® | INSTALLATION | DEVELOPER |
Pi-hole® | INSTALLATION | DEVELOPER |
⚠️ This README has been translated into Spanish .
Este README ha sido traducido a español . ➡️ here.
These lists were created because I wanted something with a bit more control over what gets blocked. A lot of lists are all-or-nothing. We set out to create lists with more control over what gets blocked, which is why I recommend my lists to you, as they are tested and we block only what is unnecessary.
Original version:
All urls in this version are preceded by an IP address in the txt or host file:
0.0.0.0 example.com
– It will forward the domain example.com to the address 0.0.0.0 (but not for its subdomains).
127.0.0.1 example.com
– will return the address 127.0.0.1 for the domain example.com (but not for its subdomains).
Version without IP on the left:
All urls in this version no are preceded by an IP address in the txt or host file:
example.com
Our users have reported to us that some devices give an error if the url is preceded by an IP address.
Adguard version:
All urls from this version of the **AdGuard** list appear in the hosts file as follows:
||example.org^
– blocks access to the domain example.org
and all its subdomains
@@||example.org^
– unlocks access to the example.org
domain and all its subdomains.
/REGEX/
– blocks access to domains matching the specified regular expression. For example, the rule /example.*/
will block hosts matching the example.*
$
– This is the delimiter, which indicates that the rest of the rule is a modifier. Modifiers must be placed at the end of the rule after the character and separated by commas. For example, the modifiers must be placed at the end of the rule after the character and separated by commas. ||example.org^$important
.
$important
– The modifier applied to a rule increases its priority over any other rule without the modifier. Even above the basic exception rules.
*
– the wildcard character. It is used to represent any set of characters. It can also be an empty string or a string of any length.
^
– the separator character. Unlike browser ad blocking, there is nothing to separate in a hostname, so the only purpose of this character is to mark the end of the hostname.
|
– a pointer to the beginning or end of the host name. The value depends on the location of the character in the mask. For example, the rule ample.org|
corresponds to example.org
, but not to example.org.com
. |example
corresponds to example.org
but not to test.example.org
The instructions are current as of AdGuard Home v0.107.2. AdGuard supports older versions. The instructions it supports AdGuard Home.
Comments on the lists:
All urls for this version of the list appear in the hosts file in the following way
# comment
– just a comment
! comment
– just a comment
Use with Pi-Hole :
- Copy the link to the Pi-hole format of the desired list (from the corresponding table below).
- Add the URL to your Pi-hole block lists (Login > Groups management > Lists > Paste the URL of the list in the "Address" field, add a comment > Click "Add ").
- Update Gravity (Tools > Update Gravity > Click on "Update " )
Current instructions as of Pi-hole 5.2.4. Instructions may be slightly different at present. Instructions will be updated when version 6 is released.
Use with AdGuard Home :
- copy the link to the AdGuard format corresponding to the desired list (from the corresponding table below).
- Add the URL to your AdGuard block list (Login > Filters > DNS block lists > Add block list > Add a custom list > Enter name > Paste the URL of the copied link).
- The list is automatically activated and is ready to start blocking.
Instructions are current as of AdGuard Home v0.107.2
- One of the recommendations, in AdGuard settings, General configuration, Filter update interval in 1 hour. It will update the rules every hour.
In order to change the password in Adguard we can access these websites and create a username and password:
We create the user and password. Once created, it has this format:
user:$apr1$x4gcjzrl$qSvcJK46C2rQUGRl4z1kl0
Once the user and password have been created, we proceed to access the adguard configuration file, AdGuardHome.yaml
.
We look for the following line in the configuration file and replace the created data.
- For the
user
: user - For the
password
: $qSvcJK46C2rQUGRl4z1kl0
users:
- name: user
password: $apr1$x4gcjzrl$qSvcJK46C2rQUGRl4z1kl0
Once the data has been changed, restart adguard.
In AdGuard settings, DNS settings:
- Upstream DNS servers, copy one of these URLs:
For Cloudfare DoH-DoT:
https://dns.cloudflare.com/dns-query
tls://1dot1dot1dot1.cloudflare-dns.com
For DoH-DoT de Quad9:
https://dns.quad9.net/dns-query
tls://dns.quad9.net
and check the option: "Load balancing", by default this option is checked.
- Boot DNS servers, we put the DNS of our choice:
Cloudflared in both IPv4 and IPv6:
1.1.1.1
1.0.0.1
2606:4700:4700::1111
2606:4700:4700::1001
Quad9 in both IPv4 and IPv6:
9.9.9.9
149.112.112.112
2620:fe::fe
2620:fe::fe:9
- DNS server configuration, check the option "Enable DNSSEC".
Create the self-signed personal certificate with Let's Encrypt:
Installing a free SSL certificate with CertBot:
1️⃣ We update the list of packages.
sudo apt update && sudo apt upgrade
2️⃣ Install the Certbot package
sudo apt install certbot
3️⃣ In this section we are going to see the most important options of the command. You can choose the options that you consider most convenient.
Certbot supports a lot of command line options. Here’s the full list, from certbot --help all
:
👉 3.1 You can add as many domains as you wish with the --domain
variable. Example:
Description | example |
---|---|
--domain | --domain example.com --domain example.org |
--domain | --domain example.org,www.example.org |
-d | -d example.com -d example.org |
-d | -d example.org,www.example.org |
👉 3.2 You can change the variable --rsa-key-size
to the size:
Bit size | Description |
---|---|
512 | Insecure |
1024 | Basic security |
2048 | Recommended security |
4096 | Increased security |
8192 | Maximum security |
👉 3.3. --csr
The csr variable and a .cnf
file can perform the following functions. Currently --csr only works with the certonly
subcommand.
👉 3.4. --config-dir
You can configure the configuration file with the variable.
👉 3.5. --test-cert, --staging
Use the Let's Encrypt staging server to obtain or revoke test (invalid) certificates; equivalent to --server acme-staging
👉 3.6. --hsts
Add the Strict-Transport-Security header to every HTTP response. Force the browser to always use SSL for the domain.
👉 3.7. --key-type {rsa,ecdsa}
. Type of generated private key. Only ONE per invocation can be provided at this time.
👉 3.8. --quiet
Silence all output except errors.
👉 3.9. --cert-name
Certificate name to apply. This name is used by Certbot for housekeeping and in file paths; it doesn't affect the content of the certificate itself.
👉 3.10 --debug
Show tracebacks in case of errors
👉 3.11 --dry-run
Perform a test run against the Let's Encrypt staging server, obtaining test (invalid) certificates but not saving them to disk.
👉 3.12 --dns-cloudflare
Obtain certificates using a DNS TXT record (if you are using Cloudflare for DNS).
👉 3.13. --server
Choose the ACME Directory Resource URI for your server.
Description | Server |
---|---|
Certificate for production server | https://acme-v02.api.letsencrypt.org/directory |
Certificate for test server | https://acme-staging-v02.api.letsencrypt.org/directory |
👉 3.14. --elliptic-curve
(default: secp256r1) The SECG elliptic curve name to use.
Type algorithm | Bit size | Description |
---|---|---|
secp192r1 | 192 | Insecure |
secp224k1 | 224 | Basic security |
secp224r1 | 224 | Basic security |
secp256k1 | 256 | Recommended security |
secp256r1 | 256 | Recommended security |
secp283k1 | 283 | Basic security |
secp283r1 | 283 | Basic security |
secp384r1 | 384 | Recommended security |
secp409r1 | 409 | Maximum security |
secp409k1 | 409 | Maximum security |
secp521r1 | 521 | Maximum security |
secp571r1 | 571 | Maximum security |
secp571k1 | 571 | Maximum security |
For the choice of the key to be chosen the difference in the definition of the base point has two important consequences:
- The secpXXXk1 curve has a higher computational efficiency than the secpXXXr1 curve. This is because the base point of the secpXXXk1 curve is a generation point, which means that it can be used to generate all the other points of the curve. The base point of the secpXXXr1 curve, on the other hand, is not a generation point, so more operations need to be calculated to generate all the other points of the curve.
- The secpXXXr1 curve has higher security than the secpXXXk1 curve. This is because the base point of the secpXXXr1 curve is a more random point than the base point of the secpXXXk1 curve. This makes it more difficult for attackers to find points on the curve that are not in the set of generation points. In general, the secpXXXXk1 curve is a good choice for applications that require computational efficiency, while the secpXXXr1 curve is a good choice for applications that require security.
Examples of applications that could use each curve:
Feature | secpXXXk1 | secpXXXr1 |
---|---|---|
base point | Lower | Higher |
Type | Computational | Security |
Computational Efficiency | Higher | Basic |
Security | Basic | Higher |
Common uses | Digital signature, Cryptocurrencies, public keys encryption | Public key encryption for critical applications, encryption, Public Key Infrastructure (PKI) |
Run the following command modifying the valid email and options as you see fit for your example.
This example is for acquiring a Wildcard certificate:
certbot certonly --manual --preferred-challenges=dns --rsa-key-size 4096 --email [email protected] --agree-tos
--server https://acme-v02.api.letsencrypt.org/directory -d "*.your_domain"
4️⃣ Finally, it will ask to make an _acme-challenge
TXT record in our name server provider with the content it tells us:
With cerbot, when using the dns challenge, certbot will ask you to place a TXT DNS
record with specific contents under the domain name consisting of the hostname for which you want a certificate issued, prepended _acme-challenge
.
For example, for the domain example.com
, a zone file entry would look like:
_acme-challenge.example.com. 300 IN TXT "gfj9Xq...Rg85nM"
It creates the following files, in the directory /etc/letsencrypt/live/
:
fullchain.pem
– your SSL certificate encrypted in PEM.privkey.pem
– your private key encrypted in PEM.
To check if the certificate will self-renew:
- Renewal test (simulación):
certbot renew --dry-run
- Check the status of the Certbot timer service:
systemctl status certbot.timer
- To renew a certificate:
certbot renew
- To force self-renewal:
--force-renewal
- To force self-renewal:
- To list jobs:
systemctl list-timers --all
Debe aparecer el siguiente configurado para la renovación automática:certbot.timer - certbot.service
- Listing certificates:
certbot certificates
To revoke a certificate:
- Delete a certificate completely:
certbot delete --cert-name example.com --reason keycompromise
- From the account for which the certificate was issued:
certbot revoke --cert-path /etc/letsencrypt/archive/${YOUR_DOMAIN}/cert1.pem --reason keycompromise
- Using the certificate's private key:
certbot revoke --cert-path /PATH/TO/cert.pem --key-path /PATH/TO/key.pem --reason keycompromise
If you do not want to follow all these steps, you can obtain the certificate with ZeroSSL
, but the wildcard certificate is charged.
Create the self-signed personal certificate:
Steps you can follow to create a self-signed RSA certificate using OpenSSL with SHA-512 and Subject Alternative Names (SAN).
To learn more about on useful openssl commands for certificates:
- We update the list of packages.
sudo apt update && sudo apt upgrade
- Make sure you have OpenSSL installed on your system before proceeding. Install the openssl package:
sudo apt install openssl
- Create the directory where we want to store the certificates:
mkdir certs &&\
cd certs/
-
Create certificate with the following command, changing the certificate path or leave the name of the .key and dot crt to store it in the directory:
4.1 Generate an RSA private key:
openssl genpkey -algorithm RSA -out privkey.key -pkeyopt rsa_keygen_bits:2048
4.2 Next, we will create a certificate request (CSR) which will contain the certificate information:
vi csrconfig.cnf
[req] distinguished_name = req_distinguished_name req_extensions = v3_req [req_distinguished_name] commonName = your website domain name organizationName = Your Company Name countryName = ES [v3_req] subjectAltName = @alt_names [alt_names] DNS.1 = example.com DNS.2 = www.example.com
4.3 We generate the self-signed certificate with the CSR data:
openssl req -new -key privkey.key -out chain.csr -sha512 -config csrconfig.cnf
4.4 Create self-signed certificate in PEM format:
openssl x509 -req -in chain.csr -signkey privkey.key -out fullchain.pem -sha512 -days 365 -extfile csrconfig.cnf -extensions v3_req
4.5 After creating the self-signed certificate, we can verify the content of the certificate if it has been created correctly:
openssl x509 -in fullchain.pem -text -noout
- Open the AdGuard Home web interface and go to configuration.
- Scroll down the menu to settings:
Encryption settings
. - Enable check
Enable encryption (HTTPS, DNS via HTTPS and DNS via TLS)
. - Enable
Redirect to HTTPS automatically
. - Enter your domain name in
Server name
. If you are entering a wildcard, enter the domain name only"example.com"
. - Copy/paste the contents of the file
fullchain.pem
inCertificados
. - Copy / paste the contents of the file
privkey.pem
inPrivate key
. - Click
Save configuration
.
To create a zone in your domain to enable clients, follow these steps:
- Mainly in the encryption Adguard section, you must enable the domain
example.org
. - You have the wildcard
*.example.org
certificate created.
- Log into the control panel of your web hosting provider or domain registrar where you purchased the domain name.
- Find the
DNS Zones
option. - Create a new
DNS Zones
entry. To add the entry for each client, e.g.one.example.org
. This will allow the client created in theClient Configuration
panel to connect. - Configure
Settings/Client Configuration/Persistent clients
. ClickAdd Clients
and underIdentifier
create a name.
Current instructions in the developer's documentation documentación.
List | Link | Description |
---|---|---|
safelist repository | safelist JuanRodenas | |
safelist hagezi | safelist hagezi (Not tested) |
Column Link: Pi-hole® | Adguard Home®.
List Host | Link | Description |
---|---|---|
List oisd | | | To Block host Adguard and domains dbl.oisd |
The big list | | | The big list oisd |
urlhaus-filter-domains | | | urlhaus-filter DEV Link |
everything | | | To Block everything |
energized pro | | | To Block energized |
d3ward | | | d3ward popular list |
List | Link | Description |
---|---|---|
The NSFW list | | | The NSFW list oisd |
Gambling-porn | | | To Block Gambling and porn |
Malware | | | To Block malware |
Ransomware | | | To Block ransomware |
phishing | To Block phishing |
List Tracking/Ads | Link | Description |
---|---|---|
SmartTV | | | To Block SmartTV |
WindowsSpyBlocker | To Block WindowsSpyBlocker | |
GoodbyeAds-Ultra | | | To Block hagezi and jerryn70 |
ads-and-tracking-extended | To Block ads-and-tracking-extended | |
Adblock_Plus | | | To Block Tracking AdBlock |
Android tracking | Android tracking for AdGuard Home | |
Disconnect.me | | | To Block disconnect.me |
List Services | Link | Link dev | Description |
---|---|---|---|
uBlock filters | Link DEV | uBlock filters | |
Badware risks | Link DEV | uBlock filters – Badware risks | |
Privacy | Link DEV | uBlock filters – Privacy | |
Quick fixes list | Link DEV | Quick fixes list | |
Resource abuse | Link DEV | uBlock filters – Resource abuse | |
Unbreak | Link DEV | uBlock filters – Unbreak | |
i-dont-care-about-cookies | Link DEV | i-dont-care-about-cookies | |
urlhaus-filter | Link DEV | urlhaus-filter |
A tab has been added for AdGuard with lists adapted to its format.
Cloudflare:
Page to check encryption of Cloudflare
- Secure DNS: a technology that encrypts DNS queries and includes DNS-over-TLS and DNS-over-HTTPS.
- DNSSEC: a technology designed to verify the authenticity of DNS queries.
- TLS 1.3: the latest version of the TLS protocol that includes many improvements and closes security holes from previous versions.
- Encrypted SNI: stands for Server Name Indication encryption that reveals the hostname during a TLS connection. This technology aims to ensure that only the IP address can be leaked.
The only browser that supports all four technologies is Firefox.
network.security.esni.enabled
- pulsamos en el +
y se ponga en true
.
network.trr.mode
– (valor 2)
network.trr.uri
– valor en la web Mozilla.
HTTPS-Only Mode
- pulsamos en el +
y se ponga en true
.
Link to the developer of the application:
Any and all rights and responsibilities pertaining thereto remain the property of the respective developer.
If you want to contribute to improve the lists, open a issue
here:
This repository is made with all my love and affection.
These files/texts are provided "AS IS", without warranties of any kind, express or implied, including, but not limited to, warranties of merchantability, fitness for a particular purpose and non-infringement. In no event shall the authors or copyright holders be liable for any claims, damages or other liability arising out of or relating to the files or the use thereof.
I will be updating with information and adding procedures in my spare time. The author of the content is JuanRodenas. You can contact me at mailto and the author's website is website.
Any and all trademarks are the property of their respective owners.