Automated threat-intelligence DNS blocklist — merged, deduplicated, and published every 48 hours via GitHub Actions.
Use this URL directly in Technitium, Pi-hole, AdGuard, or any DNS resolver that accepts a flat domain list:
https://raw.githubusercontent.com/ChillBill77/dns-blacklist/main/dist/blocklist.txt
| Name | Category | URL |
|---|---|---|
| stevenblack_hosts | Ads / Malware / Fakenews | link |
| blp_abuse | Abuse / Spam | link |
| blp_phishing | Phishing | link |
| blp_malware | Malware C2 | link |
| blp_ransomware | Ransomware C2 | link |
| blp_scam | Scam / Fraud | link |
| phishtank | Phishing | link |
| bbcan177_ms3 | Malware / Spyware | link |
| joewein_dombl | Spam / Scam | link |
To add or remove sources, edit sources.txt.
sources.txt
│
▼
merge.sh
├── Download each source (with retry + timeout)
├── Normalize: hosts format → plain domain, lowercase
├── Validate: regex filter on valid FQDN format
├── Deduplicate: sort -u across all sources
└── Write dist/blocklist.txt + dist/stats.json
The script handles both input formats automatically:
- hosts format —
0.0.0.0 domain.tldor127.0.0.1 domain.tld - plain domain list —
domain.tld(one per line)
Option A — URL (recommended, auto-updates):
- Settings → Blocking → Block List URLs
- Add:
https://raw.githubusercontent.com/YOUR_ORG/YOUR_REPO/main/dist/blocklist.txt - Set Auto Update Interval to
1day - Click Update Block Lists Now
Option B — Technitium REST API:
TECHNITIUM="http://localhost:5380"
TOKEN="your_api_token"
curl -s -X POST "$TECHNITIUM/api/settings/set" \
-d "token=$TOKEN" \
--data-urlencode "blockListUrls=https://raw.githubusercontent.com/YOUR_ORG/YOUR_REPO/main/dist/blocklist.txt"
curl -s -X POST "$TECHNITIUM/api/blocklist/forceupdateBlockLists" \
-d "token=$TOKEN"# Clone
git clone https://github.com/YOUR_ORG/YOUR_REPO
cd YOUR_REPO
# Run (outputs to dist/blocklist.txt)
chmod +x merge.sh
./merge.sh
# Dry run (no output written)
./merge.sh --dry-run
# Custom sources file
./merge.sh --sources my_sources.txtDependencies: bash, curl, awk, sort, grep — all standard on Linux/macOS.
No Python, no pip, no containers needed.
The workflow runs automatically every 48 hours (03:00 UTC) and on every push to sources.txt or merge.sh.
Manual trigger: Actions → Update Blocklist → Run workflow
The bot only commits when the output actually changes — no noise commits.
After each run, dist/stats.json contains a machine-readable build summary:
{
"generated_at": "2026-03-15T03:00:00Z",
"git_sha": "a1b2c3d",
"total_unique_domains": 758009,
"sources": {
"blp_abuse": 435153,
"blp_malware": 435218,
...
},
"failed_sources": []
}