Blocking Ads and Malware with Pi-hole
Nearly a third of DNS requests leaving our household are junk. Ads, trackers, telemetry, malware callbacks. Pi-hole catches them all before they ever reach a device.
I have been running Pi-hole for years, and it has been rock solid. It sits between your network and the internet, filtering DNS requests against curated blocklists. Every device on the network benefits automatically — no per-device setup required.
But Pi-hole is only as good as the blocklists you feed it. After years of testing different combinations, I settled on a lean setup that blocks aggressively without breaking things.
Why Hagezi over traditional blocklists
Most Pi-hole guides recommend stacking half a dozen lists from different maintainers. I used to do that too. The problem: overlap, bloat, and inconsistent quality.
Hagezi's DNS blocklists changed that. Instead of cobbling together collections, Hagezi optimizes and deduplicates hundreds of sources into a single, well-maintained set. He also tests every list against the top 10,000 websites to minimize false positives while maximizing coverage.
Hagezi offers five tiers from Light to Ultimate. The Multi Pro list hits the sweet spot: balanced blocking with roughly 390,000 domains that rarely breaks anything. It is the maintainer's own recommendation for everyday use.
My Pi-hole blocklist setup
Two Hagezi lists cover ads and security. Three additional lists add dedicated malware protection.
Hagezi Multi Pro — Ad and tracker blocking
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/pro.txt
The all-in-one workhorse. It blocks ads, affiliate links, tracking, metrics, telemetry, phishing, scam, fake sites, and cryptojacking. Hagezi classifies the "Pro" tier as "balanced" — aggressive enough to make a difference, yet conservative enough to not break your smart TV or banking app.
Hagezi Threat Intelligence Feeds (TIF) — Security layer
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/tif.txt
A dedicated security list that blocks domains known to spread malware, host command-and-control servers, and launch phishing attacks. Hagezi sources it from real-time threat intelligence feeds and updates it frequently. He recommends running TIF alongside any Multi list for maximum protection.
URLhaus by abuse.ch — Malware distribution
https://urlhaus.abuse.ch/downloads/hostfile/
Operated by the Swiss non-profit abuse.ch, URLhaus tracks URLs actively used to distribute malware. It focuses on live threats — the domains serving payloads right now. Community-driven with rapid updates.
The Block List Project — Malware
https://blocklistproject.github.io/Lists/alt-version/malware-nl.txt
A community-maintained list focused exclusively on domains linked to malware distribution and command-and-control infrastructure. Since it draws from different sources than Hagezi, it catches domains the other feeds may not cover yet.
OISD Big — Comprehensive catch-all
https://big.oisd.nl
OISD takes the opposite approach to aggressive lists: it prioritizes not breaking things. While it blocks ads, malvertising, spyware, ransomware, and tracking, it explicitly avoids interfering with shopping sites, social media, and link shorteners. The maintainer calls it the list that "passes the girlfriend test" — a solid safety net that catches what the others miss.
What to expect
This combination blocks roughly 30% of all DNS traffic in my household. Almost all of it is ad and tracker related. You will notice it immediately: pages load faster, YouTube pre-rolls disappear on some devices, and smart TVs stop phoning home to telemetry servers.
You will rarely need to whitelist anything — perhaps once or twice a year when a niche service shares a domain with a tracker. When that happens, Pi-hole's query log makes it easy to identify the blocked domain and add an exception.
The Hagezi lists do the heavy lifting on ads and trackers. The three malware lists then provide defense in depth: different sources, different update cycles, different detection methods.
Limitations
Pi-hole operates at the DNS layer only. It does not cover:
- Direct IP connections — Traffic that bypasses DNS entirely
- App-level DNS — Apps that hardcode their own DNS resolver (Google Chrome, for example, can use its own DNS)
- DNS over HTTPS (DoH) — Encrypted DNS queries that skip your local resolver entirely
Pi-hole is one layer, not the whole stack. Pair it with a browser-based content blocker like uBlock Origin for the best results. uBlock catches what DNS blocking cannot: inline scripts, first-party tracking, and cosmetic ad elements.
Key takeaways
- Use Hagezi Multi Pro + TIF as your Pi-hole foundation — one optimized list beats six overlapping ones
- Layer malware lists from different sources (abuse.ch, Block List Project, OISD) for defense in depth
- Expect ~30% of DNS traffic blocked with minimal whitelisting needed
- Combine Pi-hole with uBlock Origin in the browser — DNS blocking alone is not enough
- Start conservative, then tighten — you can always move from Pro to Pro++ if you want more aggressive blocking