DNS & Adlist

Faceplate5158 · March 16, 2025, 10:03pm

Hi,
I’ve just bought a Hex S for my home network and all is working well, in general. Some questions about the DNS resolver & new adlist feature (am on 7.18):

I use the Steven Black list as per the docs, 132k entries loaded, however CNAME records still resolve:

me@pc:~$ host api.taboola.com
api.taboola.com has address 0.0.0.0
api.taboola.com has IPv6 address ::
api.taboola.com is an alias for tls13.taboola.map.fastly.net.

… so some adverts are still getting through - is there anything I’m missing here? I’ve cleared the cache, yet the above domain always seems to re-resolve and appear back in the cache.

as has been mentioned previously on some posts, when using DoH, docker containers within the network cannot resolve local static entries - am I missing something obvious here?
am i better off turning off remote requests on the built in resolver and offloading all the DNS to a pihole LXC container with static entries for my local servers as it seems the DNS/adlist functionality is all relatively new?

Otherwise, great bit of kit. Wireguard server & client/several VLANs/etc all configured and running excellently.

Faceplate5158 · March 18, 2025, 3:18pm

I’ve offloaded DNS to a pihole + unbound and the adblocking is working much better. Curious to know what others are doing?
My Hex S unfortunately doesn’t support containers so I’ll always need another place for pihole to live until Adlist gets some improvments. Or maybe I send it back for an RB5009…

Josephny · March 18, 2025, 4:10pm

I am not at all an expert, but I just enabled adlist and found the recommended/default stevenblack list prevented access to some web sites.

See here:

http://forum.mikrotik.com/t/adlist-usage-frustration/182737/1

gigabyte091 · March 18, 2025, 4:52pm

But you are Forum guru

@OP it all depends on which blocklists do you load. I loaded same blocklist from my adguard to my RB5009 and it’s working just as it did on adguard.

Faceplate5158 · March 18, 2025, 4:57pm

Thanks, yeah I had enabled it too and it works on some sites/adverts, but I’m finding the opposite problem - too many are still getting through via CNAME resolution (original post has the host command I used, against api.taboola.com which is listed in the stevenblack list and does get removed with A record lookups).

The pihole / unbound solution is much more effective. Hopefully Adlist will catch up some day.

gigabyte091 · March 18, 2025, 4:59pm

It’s a quite a new feature. I believe Mikrotik will continue to work on it.

Faceplate5158 · March 18, 2025, 5:33pm

Thanks - yeah i see it’s a newish feature.
I’m learning that the feature I’m referring to is called Deep CNAME inspection, and was implemented in pihole v5.0 in 2020. Big discussion here https://discourse.pi-hole.net/t/apply-pi-hole-blocking-to-cnames/25445/1, release notes https://pi-hole.net/blog/2020/05/10/pi-hole-v5-0-is-here/#page-content
Not trivial!

tsarya · January 30, 2026, 7:57pm

In my setup, I am using Steven Black list in MikroTik Adlist + uBlock Origin in Firefox with the Annoyances enabled (EasyList and uBlock filters). Very few ads get through. Last but not least, no Windows 11

Faceplate5158 · January 31, 2026, 9:48am

I would guess that ublock origin is doing most of the hard work here, obviously just from within Firefox. I haven’t tried recently but the CNAME resolution wasn’t blocked via Adlist.

I now use an AdGuard home container as my DNS resolver and it works perfectly