DNS Ad Blocker for Cloudflare Zero Trust
Block ads, trackers, and malicious websites across your entire network using AdGuard DNS Filter (144K+ domains) deployed to Cloudflare Zero Trust Gateway with automated API upload. One-click deployment with a single DNS policy instead of hundreds of separate rules.
Key Features
144,452 domains + 66 IPs from AdGuard DNS Filter, automatically updated from the official AdGuard repository
Automated API upload creates 146 Gateway Lists and a single DNS policy - no manual configuration needed
One policy blocks all domains using Gateway Lists - no more managing 499 separate regex rules
Set up cron jobs for automated updates - keep your blocklist fresh with the latest threats
How It Works
This solution uses Cloudflare Gateway Lists to efficiently block ads and trackers. Instead of managing hundreds of regex patterns, it uploads the AdGuard DNS Filter to Cloudflare via API, creating 146 Gateway Lists (145 domain lists + 1 IP list) that are referenced by a single DNS policy.
Python script downloads the latest AdGuard DNS Filter (144K+ domains, 66 IPs) and splits them into CSV files
Automated upload creates 146 Gateway Lists in Cloudflare (max 1,000 entries per list on Standard plan)
One DNS policy references all 146 lists with OR conditions - blocks everything with a single rule
What Gets Blocked
Google Ads, Facebook Ads, and thousands of other ad networks and domains
Google Analytics, Facebook Pixel, and extensive tracking scripts
Known malicious domains and phishing sites from AdGuard's threat database
Software telemetry and usage reporting domains across various applications
Browser-based mining scripts and cryptocurrency mining domains
Social media widgets, tracking pixels, and embedded content trackers
Requirements
- Python 3.6+: For running the automation scripts
- Cloudflare Zero Trust Account: Free plan works perfectly
- API Credentials: Account ID and API token from Cloudflare
- Network Configuration: Devices configured to use Cloudflare Gateway DNS
Quick Start
pip install requests python-dotenvCreate a .env file with your Cloudflare credentials:
CLOUDFLARE_ACCOUNT_ID=your-account-id
CLOUDFLARE_API_TOKEN=your-api-tokenGet your credentials from: Cloudflare Dashboard → Zero Trust → Settings
python3 generate-lists.pyDownloads AdGuard DNS filter and creates 145 domain CSV files + 1 IP CSV file
python3 upload_to_cloudflare.pyAutomatically creates 146 Gateway Lists, uploads all domains/IPs, creates DNS policy, and enables it
Architecture
Gateway Lists (146 total):
- 145 domain lists (type:
DOMAIN) - 1 IP list (type:
IP) - Max 1,000 entries per list (Standard plan)
- Enterprise plan supports 5,000 entries per list
Single DNS Policy:
- Combines all 146 lists with OR conditions
- Domain lists:
any(dns.domains[*] in $list_id) - IP lists:
any(dns.resolved_ips[*] in $list_id) - Action: Block
Automated Updates
Keep your blocklist fresh with automated updates via cron jobs:
# Update weekly on Sunday at 2 AM
0 2 * * 0 cd /path/to/cfzt-adblock-dns-firewall && /usr/bin/python3 generate-lists.py && /usr/bin/python3 upload_to_cloudflare.py --auto-approveThe --auto-approve flag enables non-interactive mode for automated execution
Advantages Over Other Methods
1 policy instead of 499 regex rules - easier management and better performance
Blocks ads on all devices and apps without requiring client-side software
Prevents requests entirely at the DNS level, saving bandwidth and improving speed
Update rules once via API - changes apply instantly across all devices