Self-Hosted DNS Ad-Blocking Servers

This project is a command-line utility designed to benchmark and optimize network connectivity by identifying the fastest available content delivery network nodes. It performs concurrent latency probing and speed testing across large pools of IP addresses to evaluate real-world performance based on your specific geographic location and network environment. Beyond simple benchmarking, the tool functions as an automated configuration manager that synchronizes your network settings with the best-performing endpoints discovered during testing. It integrates with external DNS management services to update domain records and can modify local system files or generate configuration files for domain resolution services to ensure traffic is consistently routed through optimized paths. The software also includes capabilities for local network acceleration by spawning a lightweight proxy server that prioritizes high-speed connections. Users can customize the evaluation criteria, such as latency thresholds or packet loss limits, through command-line arguments to tailor the performance analysis to their specific requirements.

Pi-hole is a self-hosted network utility that functions as a DNS sinkhole server to provide network-wide ad blocking. By acting as a dedicated network gateway, it intercepts and discards requests for known advertising, tracking, and malicious domains across an entire local network, preventing unwanted content from loading on any connected device. The software operates through a lightweight background daemon that handles high volumes of concurrent DNS queries with minimal resource overhead. It utilizes a host-file injection mechanism to redirect traffic toward its local filtering engine and applies regex-based pattern matching to identify and block specific domain requests. Users manage these operations and monitor network traffic statistics through a centralized, web-based configuration interface. Beyond blocking, the project provides tools for comprehensive DNS traffic management and home network security. By resolving domain names locally, it offers increased visibility into outgoing internet traffic and helps optimize network performance by preventing the download of resource-heavy tracking scripts and advertisements.

phpipam is a web-based IP address management system and network asset manager used for tracking IPv4 and IPv6 address allocations, subnet masks, and network metadata. It functions as a centralized registry for coordinating virtual local area networks, routing instances, and DNS records. The platform includes data center infrastructure management capabilities to map physical hardware rack layouts and device placements. It also operates as a network scanner that identifies active addresses and monitors network capacity by automatically scanning subnets. The system provides a REST API for programmatically modifying network records and supports enterprise administration through role-based access control and directory service authentication. Additional capabilities cover subnet mask calculations, network data imports, and the coordination of domain records with external name servers.

ExternalDNS is a controller that automatically synchronizes Kubernetes resource states with external DNS providers. It monitors cluster resources such as services, ingresses, and gateway APIs to dynamically create and update DNS records, enabling automated service discovery and external traffic management. The project features a provider-agnostic interface that supports a wide array of cloud-managed vendors and on-premises providers, as well as an extension system for custom providers via webhooks and sidecars. It implements a reconciliation loop that uses resource annotations and custom resource definitions for declarative DNS management, ensuring that records are synchronized based on the desired state of the cluster. To maintain stability and security, the controller utilizes leader election for high availability and tracks record ownership through TXT records or external databases like DynamoDB. It optimizes provider API usage through in-memory caching and batching of record changes. The system also supports advanced traffic management, including split-horizon DNS and routing policies, while exposing operational metrics via Prometheus.

This project provides a system-wide content filtering utility that controls network traffic by redirecting domain resolution requests to local null addresses. By mapping unwanted hostnames to these addresses at the operating system level, it effectively blocks connections to advertising, tracking, and malicious domains across all applications on a machine. The core of the system is a data-driven build pipeline that aggregates multiple curated source lists into a single, unified configuration file. This process is highly customizable, allowing users to employ declarative filtering logic through external blacklist and whitelist files to define exactly which domains are included or excluded. The build process is managed via a command-line interface, which supports various flags to control output formats, source selection, and custom domain mappings. Beyond basic aggregation, the project supports diverse deployment scenarios, including containerized environments and integration with local network resolver services. It provides platform-specific utilities to ensure consistent application of these filtering rules, including mechanisms to manage local DNS client services for immediate configuration updates. The resulting output is designed to be environment-agnostic, maintaining compatibility across a wide range of operating systems and network services.

DnsServer is a recursive and authoritative DNS server that provides domain name resolution and zone hosting. It functions as both a recursive resolver, performing iterative lookups across the internet, and an authoritative manager for primary and secondary DNS zones. The system distinguishes itself through high-availability clustering and a programmable HTTP API for automating server configurations and bulk record management. It supports a wide range of encrypted transport protocols, including TLS, HTTPS, and QUIC, and allows for custom functionality via a plugin-based request interception framework. Its capability surface includes DNSSEC zone signing and validation, network-level ad and malware filtering through blocklists, and DNS64 translation for IPv6 to IPv4 mapping. It also provides DHCP scope and lease management, real-time traffic monitoring, and a web-based graphical interface for administration. The software can be deployed as a background system service or as a Docker container.

AdGuardHome is a network-wide software solution that provides centralized control over domain name resolution, content filtering, and local network management. It functions as a recursive DNS server and DHCP address server, intercepting network traffic to enforce security policies and block unwanted content across all connected devices. By acting as a central gateway, it ensures that every device on a home or office network benefits from consistent protection and private, authenticated name resolution. The software distinguishes itself through granular client management and robust security features. It automatically identifies connected hardware to provide detailed traffic statistics and allows for the application of custom filtering rules to specific devices or groups. To ensure privacy, it supports encrypted DNS protocols, including DNS-over-HTTPS and DNS-over-TLS, and automates the acquisition and renewal of SSL certificates. Administrators manage these settings through a centralized web-based dashboard, which also provides tools for monitoring performance and configuring upstream routing. The platform is designed for flexible deployment across diverse environments, including virtual servers, single-board computers, and isolated containers. It maintains system state through human-readable configuration files and supports non-privileged execution to enhance security. The project emphasizes integrity and reliability, offering reproducible build verification and standardized packaging for various operating systems and hardware architectures.

Sandstorm is an open-source platform that packages and runs web applications in security-hardened sandboxes on a personal server, functioning as a self-hosted web app operating system. It provides a curated app store where users discover and install sandboxed web applications with one-click ease, while each application runs in an isolated container that uses Linux kernel security features to separate it from the host and other apps. The platform includes a centralized authentication layer so users sign in once and gain access to all installed applications without managing separate accounts per app. The platform distinguishes itself through a capability-based security model where each app instance, called a grain, runs in its own sandbox and can only access resources explicitly granted through a system-level permission dialog known as the Powerbox. Every app grain receives a unique subdomain, enabling the reverse proxy to route requests to the correct container, while the platform automatically handles HTTPS provisioning, DNS updates, and backups. Applications are distributed as self-contained bundles that declare their dependencies and entry points in a manifest file, and the platform supports packaging any Linux-compatible web application into a secure, distributable bundle. Sandstorm handles automated server administration including configuring HTTPS, DNS, backups, and email for a self-hosted server without manual intervention. It provides centralized user access control that manages login and permissions for all installed apps, with support for restricting access by role or user account and authenticating via external providers including Active Directory. The platform also enables inter-application communication through the Powerbox, allowing apps to share data by passing capability references through a system-level dialog that mediates access.

Sing-box is a universal proxy engine and traffic router designed to manage complex network connectivity across multiple operating systems. It functions as a configuration-driven core that intercepts system-level traffic, allowing for transparent proxying through encrypted tunnels. By normalizing diverse network protocols into a unified interface, the engine enables consistent traffic forwarding and protocol translation regardless of the underlying environment. The project distinguishes itself through a declarative configuration pipeline that validates and merges modular settings into a unified internal state before execution. It employs a rule-based traffic dispatcher that evaluates incoming packets against hierarchical criteria to determine optimal routing paths dynamically. This is complemented by an asynchronous domain name resolution pipeline, which provides granular control over how network requests are mapped and filtered, ensuring that traffic handling remains both accurate and performant. Beyond its core routing capabilities, the platform includes a comprehensive security layer for managing encrypted connections, including support for advanced handshake options and certificate validation. It also provides tools for monitoring real-time traffic and connection status, alongside flexible management of routing rule sets that can be sourced from local or remote locations. The software is designed to be installed as a background service, providing a stable and scalable infrastructure for controlled network communication.

This project is a Kubernetes cluster management framework and infrastructure-as-code template designed to bootstrap and maintain Talos Kubernetes clusters on bare-metal or virtual machines. It provides a structured system for deploying complete orchestration environments using declarative configurations and template-driven workflows. The framework distinguishes itself through a GitOps-driven execution model that utilizes Flux for state reconciliation and Renovate for automated dependency updates of Helm charts and container images. It employs a TOML-based configuration system to generate environment-specific settings and integrates SOPS for encrypting secrets stored within version control. Broad capabilities include automated system upgrades, cluster capacity scaling, and persistent storage integration via NFS, SMB, or iSCSI. The project also covers network traffic management through automated DNS record updates, split-horizon DNS configuration, and secure tunnel integration.

This project is a community-curated database of network patterns designed to facilitate regional access bypass. It functions as a centralized, crowdsourced registry where distributed contributors submit and verify domain identifiers to maintain an accurate and up-to-date list of network rules. The registry provides a declarative syntax that allows diverse proxy clients to distinguish between local and restricted traffic. By standardizing these rules, the project enables automated configuration of routing tables, ensuring that only specific requests are directed through external proxy tunnels. The repository serves as a version-controlled distribution point for these network filters, allowing client applications to consume the data to maintain consistent filtering logic. The project is maintained as a collaborative, open-source database accessible for integration into various network routing tools.

IPFS is a peer-to-peer hypermedia protocol and content-addressed storage system that identifies data by cryptographic hashes rather than network locations. It enables the creation of a decentralized web by organizing files and directories as directed acyclic graphs of linked content identifiers. The project differentiates itself through the use of a distributed hash table for locating peers and a system of signed records to map human-readable names to changing content. It also provides HTTP gateways that translate standard web requests into peer-to-peer queries, allowing decentralized data to be accessible via standard web browsers. Broad capabilities cover decentralized data storage, including content pinning for persistence and the hosting of static websites with custom DNS resolution. The system also includes peer-to-peer messaging via a topic-based pubsub system, cryptographic key management for data authenticity, and tools for visualizing network traffic and peer connectivity. Node operations can be managed through a command-line interface, a browser-based GUI, or a standardized HTTP RPC API.

Clash-rules provides a standardized, declarative system for managing network traffic routing across desktop and mobile proxy clients. It functions as a centralized configuration provider that uses structured rule sets to categorize outgoing requests, allowing users to define whether specific connections should be proxied, rejected, or routed directly. The project distinguishes itself through its comprehensive, curated rulesets that enable granular control over network behavior. By employing domain-pattern matching, CIDR-based network analysis, and application-specific signatures, it ensures consistent traffic management across diverse environments. It also supports automated synchronization, allowing proxy clients to fetch updated routing logic from external sources without manual intervention. The platform covers a broad range of traffic management capabilities, including regional content access, local network optimization, and malicious traffic filtering. These features allow for the systematic blocking of advertising and tracking domains while ensuring that private, local, and internal network resources bypass proxy tunnels to maintain direct connectivity.

DevOps-Bash-tools is a collection of shell scripts and aliases designed to automate cloud infrastructure, container orchestration, and CI/CD pipelines. It provides a comprehensive toolset for managing operational workflows through the command line. The project specializes in automating tasks across multiple platforms, including managing namespaces and secrets in Kubernetes, auditing resources in AWS and GCP, and triggering builds or managing environment variables in GitHub Actions, GitLab CI, and CircleCI. It also includes a toolkit for interacting with container registries to query manifests and optimize image sizes, as well as utilities for batch processing Git repositories and enforcing commit standards. Beyond cloud and pipeline management, the toolset covers a broad range of capabilities including system administration, development environment setup, and security auditing for identity permissions and secret leakage. It also provides utilities for media manipulation, data processing, and the automation of language runtime installations.

FreeDomain is a centralized platform for managing the full lifecycle of domain names, providing services for free registration and web presence activation. It offers a unified administrative interface that allows users to secure digital identities across multiple top-level extensions and configure hosting environments through a guided setup process. The platform distinguishes itself through an API-driven orchestration layer that automates interactions with external registrars and simplifies complex infrastructure management by abstracting DNS configurations into standardized zone file updates. It incorporates multi-tenant identity management to ensure secure resource isolation and includes a policy-based compliance engine that utilizes event-driven workflows to identify and mitigate domain misuse. The system supports comprehensive domain administration, including tools for managing DNS records, maintaining connectivity settings, and facilitating formal abuse reporting. These administrative capabilities are supported by asynchronous task processing to handle high-latency requests, ensuring consistent system responsiveness during domain activation and propagation.

Register is a GitOps domain registrar and subdomain registration service that uses version-controlled configuration files to manage domain ownership and mappings. It functions as a DNS management system and record orchestrator, utilizing JSON-based declarative configurations to programmatically update A, CNAME, MX, and TXT records. The project distinguishes itself through a registration process where domain ownership and subdomain assignments are stored as the source of truth within Git repositories. It includes an automated SSL provisioning tool to configure web servers and security certificates for newly assigned subdomains, as well as a domain ownership verifier used to enable custom handles and verified badges on external platforms. The system covers a broad range of networking and identity capabilities, including static site hosting setup, email routing configuration, and the creation of nested subdomains. It also provides tools for managing redirect paths and reporting domain abuse.

uBlock is a browser-based content blocker that functions as a declarative filtering engine to intercept network requests and modify web page content. It operates by parsing standardized filter lists into optimized data structures, allowing it to block network hosts, enforce security policies, and prevent unauthorized data transmission. The extension provides a comprehensive security layer that monitors outgoing traffic and disables intrusive browser features to enhance user privacy. What distinguishes this project is its granular control over filtering behavior through a dynamic rule orchestrator. Users can manage custom rules, apply site-specific overrides, and toggle filtering settings on a per-domain basis. The engine also employs advanced techniques such as CNAME uncloaking, IP address filtering, and response body modification to identify and neutralize trackers that attempt to bypass standard blocking methods. Furthermore, it supports enterprise-grade deployment, enabling organizations to enforce consistent security and filtering configurations across managed environments. The project covers a broad capability surface including cosmetic page modification, which uses CSS injection and sandboxed scriptlets to remove visual clutter and neutralize anti-blocking scripts. It also provides interactive tools for real-time network traffic inspection and manual element removal, ensuring users can debug and customize their browsing experience. The extension is designed to maintain high performance by synchronizing its initialization at startup, ensuring that all security rules are active before any network requests are processed.

This project is a curated collection of deployment files and configurations for hosting a wide variety of open-source services on a home server. It primarily utilizes Docker and Docker Compose to automate the orchestration, lifecycle management, and deployment of containerized applications. The repository provides a comprehensive suite for self-hosted infrastructure, covering network management tools, media streaming, and home automation. It includes specialized configurations for securing internal services via reverse proxies, WireGuard VPN tunnels, and automated SSL/TLS certificate management. The project covers a broad set of capability areas, including system monitoring and observability, deduplicated data backup and recovery, and network traffic management. It also provides deployment patterns for asset tracking, AI-powered video surveillance, and game server administration. The implementation is primarily based on Shell scripts and YAML configuration files.

Mihomo is a rule-based network proxy and traffic orchestrator designed to manage internet connections by intercepting and routing data packets. It functions as a background service that directs traffic through various proxy nodes based on user-defined policies, allowing for granular control over outbound network paths. The engine distinguishes itself through a sophisticated domain pattern matching system that utilizes wildcard and suffix-based algorithms to categorize web traffic. It supports complex configuration management by allowing users to define reusable data blocks and import external domain collections, ensuring that routing policies remain consistent and up-to-date across different geographic regions and operating systems. The project provides a comprehensive suite of tools for network security filtering and traffic management. It processes structured configuration files to define rules based on destination hostnames and port ranges, enabling the creation of detailed filtering policies. The system is configured using a standard serialization format that supports object nesting, array definitions, and inline documentation.

This project is a dynamic DNS client and automation service designed to maintain consistent connectivity for web services by synchronizing domain name records with changing public network addresses. It operates as a persistent background daemon, periodically polling for IP address changes and automatically updating records across multiple DNS providers. The application distinguishes itself through an embedded web-based dashboard that allows users to manage domain settings, monitor update logs, and configure provider credentials without manual file editing. It utilizes a provider-agnostic adapter pattern to support various DNS services and includes a webhook-driven notification system that triggers external HTTP requests upon successful or failed record updates. The software supports flexible deployment through static binary compilation and containerization, ensuring it can run as a system service across diverse environments. It also provides extensibility through custom callback execution, allowing for the integration of proprietary DNS services or the retrieval of specific network interface addresses.