Saturday, October 27, 2018

Blocking Internet Ads Using DNS Sinkhole

Technitium DNS Server is an open source software that can be effectively used to block Internet Advertisements (Ads), adware, and malware on your computer or your local network using publicly available block lists.

Combined with DNS-over-TLS and DNS-over-HTTPS, Technitium DNS Server provides a good level security and privacy from network level DNS attacks and from adware. This makes it a must have tool if you are a privacy and security conscious person.

Technitium DNS Server is cross platform and works on Windows, Linux or macOS.

Technitium DNS Server v2.0

How Does It Work?
The Ad blocking feature works using the DNS Sinkhole method. With this feature enabled, for all the blocked domain names, the DNS Server will respond with IPv4 address and :: for IPv6 address making the Ads fail to load making the website you visit free from Ads. This can not only block Ads but also adware, malware, social networks, porn etc. based on the block lists you configure in settings.

On your computer, you need to install the DNS Server and configure your network adapter's DNS settings to use the locally hosted DNS server. Once this is done, you need to configure the Block List URL settings to start blocking Ads. Once the DNS Server loads the block lists, it would respond with IP address for the blocked websites making them fail to load.

You may also install the DNS Server on any spare computer on your network and configure your home or office router with IP address of this spare computer as DNS server in DHCP settings. With this setup, all your computers and devices like mobile phones would use the installed DNS Server blocking Ads and malware domains on all devices without installing any additional software on them.

Configuring Block Lists
To enable Ad blocking, you need to configure Block List URLs in the settings. Known and popular block lists are already listed in the Quick Add drop down list from where you can just click and add those URLs.

Technitium DNS Server Block List Configuration

If you are not sure, just select the Default option from the Quick Add drop down list and a default set of block list URLs would get configured.

Once done, click the Save Settings button at the bottom of the page to save the changes and start the block list download background process. These configured block lists are automatically downloaded every 24 hours to keep the DNS Server blocked zone updated.

Don't forget to configure your network adapter's DNS server settings to (for IPv4) and ::1 (for IPv6). Without these network configuration changes, the DNS Server wont get any queries to respond to and things wont work as intended.

IPv4 DNS Server Network Configuration

IPv6 DNS Server Network Configuration

That's It!
Once the configuration is done, just check the Dashboard on the web console after a couple of minutes to see the number of blocked domains in the Blocked Zones widget. If there are too many block list URLs configured, it may take few more minutes for all of them to get downloaded and loaded.

If you have any further queries, do write them below as comments or send an email to


  1. Question: As a developer - and a lazy developer at that - I've previously used my own little bash-scripts to populate my hosts-file in linux. In Windows I've formerly tried to use Acrylic DNS with little to no success.
    This, however, works right out of the box - which is fantastic!

    I, however, have a question: Would it be possible to import my own dev-redirects the same way as I today can import or add my own domains to block via blocklist.txt on the local webserver?
    I had a quick peek at the source code and it really isn't my preferred language, but... Am I correct in assuming it's a case of using the provided IP-address instead of replacing it with the sinkhole

    Thing is; I keep lists in simple hosts-format (ip domain) which are updated script-wise according to my location - and thus dhcp-provided ip-address.This way I would be able to run a very script which inserts my local ip-address on current location into said list(s).

    The alternative is, I guess, to enter several A-records in my zones and extending the TTL for the different ip-series accordingly, 1800 for work, 3600 for home, 7200 for public, etc.

    Excellent piece of software, would appreciate possibility to import dev-server lists.

    1. Thanks for the compliments. The block zone implementation in the DNS Server will use domain names from the block lists and always use IP address to sinkhole the domain name.

      To use domain names for development/production testing scenarios, you can add the domain as a Zone in the DNS Server. You can then set Type A records for IP addresses and then enable/disable individual records or you can disable the entire zone. When zone is disabled, the DNS Server will return records from the actual name server hosting the domain name in production.

      You can easily automate this by using the REST API that the DNS Server web console itself uses in its javascript code. If you have any queries or need any more details, do let me know over email at

  2. Is there a way to white list certain domains from the block list?

    1. Yes, you can add your domains in the Allowed Zones to override the block list.

  3. using this app and working well, however the log file dates are an hour out. I'm in the UK so I'm guessing it's not taking into account the DST of +1.

    If somehow it can use the time of the host computer in the logs, it would be appreciated.
    Having to remember to add an hour on is easy enough but makes it hard when tracking requests.

    Many thanks

    1. Thanks for the feedback. The date time in logs is in UTC and not GMT so, it does not have daylight saving. I am planning to have some option to set the timezone for logging in next update.

  4. Hi,
    Can I redirect to specific url or ip for custom error message ?
    Great software !!!


    1. Technically you can return any IP address from the DNS server instead of for blocked domain names but, practically it wont work.

      This is since most websites nowadays are served over HTTPS and thus you wont be able to show custom error message for most websites. If you implement it then users will mostly see SSL certificate error notices instead of your custom error page.

      Secondly most blocked items are Ads that are loaded using iframes and that space will too show SSL errors and create a mess.