Blockasaurus
DNS firewall & ad blocker for your network
Blockasaurus is a DNS proxy and ad blocker for your home or office network. It intercepts DNS queries and blocks requests to known advertising, tracking, and malware domains — giving you network-wide protection without installing anything on individual devices.
Key Features
| Modern DNS | DNS-over-TLS (DoT), DNS-over-HTTPS (DoH), and plain UDP/TCP |
| Client Groups | Different blocking policies per device or group of devices |
| External Blocklists | Subscribe to community blocklists with automatic periodic refresh |
| Domain Rules | Per-domain allow/deny with exact match or regex patterns |
| Custom DNS | A, AAAA, and CNAME records for internal hosts |
| Web UI | Dashboard, live logs, and full configuration management |
| Caching | Built-in DNS cache with prefetching for fast responses |
| Monitoring | Prometheus metrics and Grafana dashboards |
How It Works
Blockasaurus sits between your devices and the internet’s DNS infrastructure. When a device on your network makes a DNS query:
- The query arrives at blockasaurus via plain DNS, DoT, or DoH.
- Blockasaurus identifies which client group the request belongs to (by source IP, EDNS CPE-ID, DoH path, or DoT hostname).
- The domain is checked against that group’s blocklists and domain rules. If blocked, a null response is returned immediately.
- If allowed, the query is forwarded to your configured upstream DNS servers (e.g., Cloudflare, Google, or your own recursive resolver).
- The response is cached and returned to the client.
Deployment Options
| OS packages recommended | Native packages for Debian/Ubuntu, RHEL/Fedora, and Arch Linux. Includes a hardened systemd service. The easiest path for Linux servers, Raspberry Pi, and similar devices. |
| Docker | Container image at ghcr.io/chrissnell/blockasaurus |
| Kubernetes + Helm | Production-ready Helm chart with TLS, persistence, and RBAC |
| Build from source | Clone, build, and run — requires Go 1.26+ and Node.js 22+ |
Getting Started
Head to Installation to get blockasaurus running, then follow the configuration guides in order. If you’re deploying with TLS (recommended for DoH/DoT), read TLS Configuration next.