Privacy Tool Spotlight: HaGeZi's DNS Blocklists
In our last two posts, "Privacy Tool Spotlight: DNS" and "Privacy Tool Spotlight: DNS (Part 2)", we covered the basics of how DNS works and the different options available to you.
One of the most powerful tools we highlighted in both posts is DNS blocklists. These lists help stop ads, trackers, and malware before they ever reach your devices. You can use them in many easy ways: through browser extensions like uBlock Origin, built directly into browsers like Brave, network-wide solutions like Pi-hole, or filtering DNS services such as NextDNS and Control D.
Beyond just cleaning up your browsing experience, DNS blocklists actually save your data. They prevent unwanted content from loading in the first place, so your device never has to download all that junk.
Let's take a closer look at how these lists work, how they're kept up to date, and why they have become so important for staying safe and private on today's internet.
What Are DNS Blocklists?
Simply put, DNS blocklists are curated collections of websites and domains that you probably want to avoid. They act like a big "do not visit" list for your internet connection.
These lists can block many different types of unwanted content, including:
- Malicious websites that spread malware
- Phishing sites trying to steal your information
- Advertisements and trackers
- Adult content, gambling sites, and more
Well-known domains for ads and trackers tend to stay fairly consistent over time. However, dangerous malware and phishing sites can appear and disappear quickly, so the best lists stay very active.
When your device tries to visit a domain on the blocklist, the DNS resolver simply replies with "this site doesn't exist" (called an NXDOMAIN response) or sends it to a dead end address like 0.0.0.0. Either way, your device is told the site can't be reached and moves on safely without ever loading the unwanted content.
How Are Blocklists Maintained?
A strong DNS blocklist is only as good as the team (or community) behind it. These lists are maintained by organizations and dedicated volunteers who use several methods to keep them accurate:
- Automated crawling that scans the web for new threats
- Threat intelligence from security researchers
- Manual verification and research to double-check findings
- Community reports from real users who discover new problem sites
The best lists are updated frequently and focus on minimizing false positives so you don't accidentally block sites you actually want to visit.
Are There False Positives?
Yes, false positives can happen from time to time. Maintenance teams work hard to fix them through a careful delisting process.
For example, if one blog on a large shared hosting service does something malicious, the entire service might temporarily get blocked. Once the issue is resolved, the affected domains need to be removed from the list.
Here are the main ways false positives get corrected:
- Automatic Expiration: Many lists automatically remove entries after a set period if no further bad activity is detected (for example, a site stops hosting malware for 24 hours).
- User Remediation: Website owners can request removal through official channels once they have cleaned up any problems.
- Community Reporting: Open-source lists like those from HaGeZi rely on GitHub issues and user reports to quickly identify and whitelist legitimate sites.
This careful balance of automation and human oversight keeps the lists both effective and fair.
Browser or Network?
You can use DNS blocklists in two main ways: through your browser or at the network level.
The most common approach is browser-based blocking. This includes popular tools like the uBlock Origin extension or privacy-focused browsers like Brave. Since most people spend their time in a web browser, this method works very well for everyday use.
However, many apps and devices on your network also connect to the internet behind the scenes. These apps often send tracking data or pull in advertisements, sometimes sharing sensitive details like your location.
To show how effective network-wide blocking can be, we once tested a single device using one of the device-specific blocklists. In just four days, it blocked over 16,000+ tracking and advertising attempts - all from a single device!
For this reason, we recommend going as broad as possible. You can use device-level solutions like Control D, or set up network-wide protection at home with Pi-hole or similar tools. The wider the protection, the more privacy and performance you gain.
HaGeZi's DNS Blocklists
One of the most popular and highly regarded DNS blocklist projects is HaGeZi. Many services, firewalls, and privacy tools include HaGeZi lists because they deliver excellent results with very few problems.
HaGeZi lists stand out because they are carefully curated rather than just thrown together. The maintainer, Gerd, actively removes dead domains, reduces bloat, and fixes false positives. This results in clean, efficient lists that protect your privacy without breaking websites.
Here’s why so many people use them:
- Graduated Aggressiveness: There are five different levels — Light, Normal, Pro, Pro++, and Ultimate. Most people start with Light for maximum stability. Advanced users often choose Pro++ or Ultimate for stronger protection. We are currently running Ultimate and find it very effective.
- High-Quality Curation: The lists are tested against major datasets like the Cisco Umbrella Top 1 Million websites to ensure they block real threats while staying reliable.
- Broad Compatibility: They come in many formats that work with Pi-hole, AdGuard Home, routers, and other tools. You can also mix in extra lists for specific categories like social media or gambling.
- Active Community: The project is fully open-source with regular updates. The maintainer responds to feedback and provides clear guidance, which builds a lot of trust.
What Are We Running?
We use HaGeZi Multi Ultimate as our main DNS blocklist. We also layer on their specific lists for Amazon, Apple, and Roku services. These are combined with additional lists on our firewall to block as much unwanted traffic as possible.
When we pair all of this with the Brave browser, the difference in speed, cleanliness, and overall privacy is very noticeable. Our internet experience feels much lighter and more private. In short, there is less internet noise to distract us.
You Deserve a Better Experience
Now that we've covered what DNS is, how it works, the various options available, and why strong DNS blocklists make such a big difference, it's time to take the next step.
You deserve a cleaner, faster, and more private internet - one with far less noise, fewer distractions, and better protection. Whether you start simple with a device level app like Control D, try a privacy browser like Brave, or go full network-wide with Pi-hole or a compatible firewall, even small changes can deliver noticeable improvements right away. Consider giving one of these options a try today.
Remember: We may not have anything to hide, but everything to protect.
