Enclave Gateway and Pi-Hole DNS Filtering

Parties electing to self-host Enclave Gateway can follow the Internet Gateway setup instructions to run the popular open source DNS filtering software Pi-Hole alongside their Enclave Gateways to filter out harmful domains serving ads, malware and other online threats.

The Pi-hole integration is usually deployed as a self-hosted solution, but is also available as a co-managed or fully managed service. For more information about co-managed or managed deployments, please contact us.

Pi-Hole recommended blocklists

Summary

Blocklist URL	Blocklist description
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts	Pi-hole adware and malware
https://www.spamhaus.org/drop/drop.txt	Spamhaus DROP list
https://threatfox.abuse.ch/downloads/hostfile	ThreatFox and Spamhaus IOCs
https://cinsscore.com/list/ci-badguys.txt	CINS Army list
https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt	Proofpoint Emerging Threats list

Detail

1. Pi-Hole default blocklist: Composed of several curated and reputable source lists focused on blocking known-malicious domains categorised as adware and malware. Note that there are 31 variants of this list, allowing selective customisation and extension of the categories to include fakenews, social, gambling, and porn. The base list is remains composed of domains categorised adware and malware.

   URL: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts (adware + malware)

   ---

2. Spamhaus "Don't Route Or Peer Lists" (DROP): A list the worst of the worst IP traffic on the Internet at source the provider level, including providers intentionally tolerant of — or complicit in — illegal, unethical, or abusive content and activities. It is an advisory “drop all traffic”, containing IP ranges which are so dangerous to Internet users that Spamhaus provides access to anyone who wants to add an additional layer of protection, free of charge.

   URL: https://www.spamhaus.org/drop/drop.txt

   ---

3. ThreatFox and Spamhaus IOCs: ThreatFox is a platform from abuse.ch and Spamhaus dedicated to sharing indicators of compromise (IOCs) associated with malware, with the infosec community, AV vendors and cyber threat intelligence providers, an actively maintained feed of malicious domains derived from community and partner reporting.

   URL: https://threatfox.abuse.ch/downloads/hostfile

   ---

4. CINS Army list: A public blocklist of high-risk IP addresses flagged for malicious activity. Compiled and maintained by Nomic Networks, based on threat intelligence data collected by their Sentinel devices and other trusted InfoSec sources.

   URL: https://cinsscore.com/list/ci-badguys.txt

   ---

5. Proofpoint Emerging Threats list: a public blocklist composed on data from spam nets identified by Spamhaus and top attackers listed by DShield, maintained by Proofpoint.

   URL: https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

---

Last updated April 04, 2025