logo of Akmatori
GitHub
04.02.2026

hBlock: System-Wide Ad Blocking Using the Hosts File

hBlock Hosts-Based Ad Blocker

Browser extensions like uBlock Origin are great, but they only protect one application. What if you want to block ads and trackers system-wide—for every app, every browser, even background services? That's where hosts file blocking comes in, and hBlock is one of the best tools for the job.

What Is hBlock?

hBlock is a POSIX-compliant shell script that aggregates domains from 40+ blocklists and generates a unified hosts file. When a domain is in your hosts file pointing to 0.0.0.0, your system simply can't connect to it—no ads, no trackers, no malware callbacks.

Key features:

  • Aggregates 40+ curated blocklists (EasyList, AdGuard, uBlock, Phishing Army, etc.)
  • Outputs to multiple formats (hosts, dnsmasq, unbound, RPZ, etc.)
  • Automatic updates via systemd timer
  • POSIX-compliant—works on any Unix-like system
  • Nightly builds available at hblock.molinero.dev

Why Use Hosts-Based Blocking?

Method Scope Bypass Risk Performance
Browser extension Single browser Medium Good
Hosts file Entire system Low Excellent
Pi-hole/AdGuard Home Entire network Low Good

Hosts file blocking is:

  • Universal: Works for all applications, not just browsers
  • Fast: DNS lookup fails instantly—no network round trip
  • Lightweight: No background daemon required
  • Resistant to bypass: Apps can't easily circumvent it

Installation

Package Managers

hBlock is available in many repositories:

# Arch Linux
pacman -S hblock

# Debian/Ubuntu (via apt repository)
apt install hblock

# macOS
brew install hblock

# Alpine
apk add hblock

Manual Installation

curl -o /tmp/hblock 'https://raw.githubusercontent.com/hectorm/hblock/v3.5.1/hblock' \
  && echo 'd010cb9e0f3c644e9df3bfb387f42f7dbbffbbd481fb50c32683bbe71f994451  /tmp/hblock' | shasum -c \
  && sudo mv /tmp/hblock /usr/local/bin/hblock \
  && sudo chown 0:0 /usr/local/bin/hblock \
  && sudo chmod 755 /usr/local/bin/hblock

Basic Usage

Running hBlock is simple:

# Generate and apply hosts file (requires root)
sudo hblock

That's it. hBlock will:

  1. Download all configured blocklists
  2. Merge and deduplicate domains
  3. Back up your existing hosts file
  4. Write the new hosts file to /etc/hosts

Check What's Blocked

After running hBlock, your hosts file will contain entries like:

0.0.0.0 ads.example.com
0.0.0.0 tracker.analytics.com
0.0.0.0 malware.badsite.net

You can count blocked domains:

grep -c "^0.0.0.0" /etc/hosts
# Output: 350000+ (depending on sources)

Configuration Options

hBlock is highly configurable:

# Use custom output file
hblock -O /etc/hosts.block

# Change the redirection address (default: 0.0.0.0)
hblock -R 127.0.0.1

# Add custom header to hosts file
hblock -H "# My custom hosts file"

# Allowlist specific domains
hblock -A 'example.com'

# Denylist additional domains
hblock -D 'extra-bad-domain.com'

# Output in dnsmasq format instead
hblock -f dnsmasq -O /etc/dnsmasq.d/blocklist.conf

Preserving Custom Entries

If you have custom entries in /etc/hosts, create a header file:

cat > /etc/hblock.d/header << 'EOF'
127.0.0.1 localhost
127.0.1.1 myhostname
192.168.1.100 homeserver.local
EOF

# hBlock will prepend this to the generated file
sudo hblock -H "$(cat /etc/hblock.d/header)"

Automatic Updates with systemd

Keep your blocklist current with a systemd timer:

# Create service file
sudo tee /etc/systemd/system/hblock.service << 'EOF'
[Unit]
Description=hBlock
Documentation=https://github.com/hectorm/hblock
Wants=network-online.target
After=network-online.target

[Service]
Type=oneshot
ExecStart=/usr/local/bin/hblock
EOF

# Create timer file
sudo tee /etc/systemd/system/hblock.timer << 'EOF'
[Unit]
Description=hBlock timer

[Timer]
OnCalendar=daily
RandomizedDelaySec=3600
Persistent=true

[Install]
WantedBy=timers.target
EOF

# Enable and start
sudo systemctl daemon-reload
sudo systemctl enable --now hblock.timer

Verify the timer is active:

systemctl list-timers hblock.timer

Alternative Output Formats

hBlock supports multiple DNS server formats:

# For dnsmasq
hblock -f dnsmasq -O /etc/dnsmasq.d/blocklist.conf

# For unbound
hblock -f unbound -O /etc/unbound/unbound.conf.d/blocklist.conf

# For BIND RPZ
hblock -f rpz -O /etc/bind/zones/blocklist.rpz

# For hosts.deny (TCP wrappers)
hblock -f hosts.deny -O /etc/hosts.deny.block

This makes hBlock useful for network-wide blocking on your DNS server.

Blocklist Sources

hBlock aggregates 40+ sources including:

Category Examples
Ad blocking EasyList, AdGuard, uBlock filters
Privacy EasyPrivacy, first-party trackers
Malware URLhaus, Phishing Army, abuse.ch
Regional Lists for 15+ languages/regions
Crypto mining AdBlock NoCoin List

Full list: SOURCES.md

Temporarily Disable Blocking

Need to access a blocked domain temporarily?

# Generate empty hosts file (keeps structure, removes blocks)
sudo hblock -S none -D none

# Re-enable later
sudo hblock

Or for a single domain, add it to your allowlist:

sudo hblock -A 'temporarily-needed.com'

Troubleshooting

Site Not Working After hBlock

  1. Check if the domain is blocked:

    grep "problematic-domain.com" /etc/hosts

  2. If blocked, add to allowlist:

    sudo hblock -A 'problematic-domain.com'

  3. Report false positive to the original blocklist maintainer

DNS Cache Issues

After updating the hosts file, flush DNS cache:

# systemd-resolved
sudo systemd-resolve --flush-caches

# nscd
sudo nscd -i hosts

# macOS
sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder

Performance Impact

With 300,000+ entries, you might wonder about performance. In practice:

  • Hosts file lookups are O(1) hash table operations in modern systems
  • Memory usage: ~15-30MB for the parsed hosts file
  • No measurable impact on DNS resolution speed

hBlock vs Alternatives

Tool Type Best For
hBlock Hosts file generator Single-machine blocking
Pi-hole DNS sinkhole Network-wide blocking
AdGuard Home DNS + filtering Network + DoH/DoT
StevenBlack hosts Static hosts file Simple, no script

hBlock is ideal when you want:

  • No background daemon
  • Script-based automation
  • Multiple output formats
  • Easy allowlist/denylist management

FAQ

Does hBlock slow down my system?

No. Modern operating systems use efficient data structures for hosts file lookups. Even with 300,000+ entries, performance impact is negligible.

Will this break legitimate websites?

Occasionally. Some sites serve content from the same domains as ads. Use the allowlist (-A) flag for any false positives.

Can apps bypass hosts file blocking?

Apps using hardcoded IPs or DoH (DNS over HTTPS) can bypass hosts blocking. For those cases, consider network-level blocking with Pi-hole or firewall rules.

How often should I update?

Daily updates are reasonable. New malware domains appear constantly, and blocklists are updated frequently.

Want to automate security monitoring and incident response for your infrastructure? Akmatori helps SRE teams build AI-powered runbooks that can detect and block threats automatically.

Akmatori team

Automate incident response and prevent on-call burnout with AI-driven agents!

Try Akmatori for free