DNS Filtering & Firewall
Aegis DNS
DNS firewall with ad-blocking, parental controls, per-client policies, and real-time query analytics.
Running · 47d 12h
Queries 1h
3842
Last hour
Blocked 1h
914
Filtered
Rules
164228
Active filters
Lists
7/9
Blocklists
Clients
8
Devices
🌐
Total Queries
84211
🛑
Queries Blocked
18440
📊
Percentage Blocked
21.9%
📋
Domains on Lists
164228
Queries Over Time Permitted vs Blocked
Total Queries Over 24h Hourly trend
Client Activity Over 24h Top clients
Query Types
Upstream Servers
Period:
Top Permitted Domains 9 entries
updates.example.net
881
cdn.safe.example
542
api.push.example
398
pool.ntp.example
341
connectivity-check.example
289
metrics.example.net
204
ntp.org
188
dns.google
167
gateway.lan
142
Top Blocked Domains 8 entries
telemetry.example.com
604
ads.doubleclick.example
422
*.ads.example
388
ads.google.com
311
*.adserv.example
244
*.crashlytics.example
198
doh.cloudflare.example
167
*.malware-c2.example
89
Top Clients (Total) 8 clients
smart-tv-living
3841
media-tv
4820
office-laptop
3214
kids-tablet
2811
smart-speaker
2218
iphone-ev
1928
guest-phone
841
nas
420
Top Clients (Blocked Only)
kids-tablet
1044
smart-tv-living
892
smart-speaker
710
media-tv
612
guest-phone
312
Add Rule
Rules (showing 12 of 164228)
Reset
Page 1 / 8 Next 1 2 3 ... 8
DomainTypeActionCategorySourceEnabled
*.ads.example wildcard block ads manual
telemetry.example.com exact block tracking hagezi
safe.search.example rewrite rewrite family policy
*.doubleclick.net wildcard block ads hagezi
ads.google.com exact block ads hagezi
*.adserv.example wildcard block ads oisd
metrics.example.net exact block tracking manual
*.crashlytics.example wildcard block tracking hagezi
adult-content.example exact block adult oisd
*.malware-c2.example wildcard block malware manual
doh.cloudflare.example exact block doh manual
gateway.lan rewrite rewrite local manual
Blocklist Subscriptions
HaGeZi Max seeds Ultimate, TIF, DoH bypass and native telemetry lists from the official GitHub repository. Daily auto-update at 04:17.
Ultimateadblock
Pro++domains
HaGeZi Multi Ultimate
https://example.invalid/hagezi.txt
adblock | 91442 rules | ads | Updated: 18m ago
OISD Basic
https://example.invalid/oisd.txt
hosts | 64188 rules | tracking | Updated: 21m ago
Steven Black Hosts
https://example.invalid/stevenblack.txt
hosts | 18200 rules | ads | Updated: 45m ago
Phishing Arm
https://example.invalid/phishing-arm.txt
adblock | 34200 rules | phishing | Updated: 2h ago
1Hosts Lite
https://example.invalid/1hosts-lite.txt
hosts | 12400 rules | ads | Updated: 1h ago
WindowsSpyBlocker
https://example.invalid/winspy.txt
hosts | 4820 rules | tracking | Updated: 3h ago
DNSBL Malware
https://example.invalid/dnsbl-malware.txt
adblock | 8900 rules | malware | Updated: 30m ago
Time Domain Client Type Action Reason / Rule Response
🔍
Loading queries...
Page 1
DNS Clients (8)
IPMACNameTrack HostnameFirewallPolicyBlocked ServicesClient DNSDHCP BindStats (24h)
192.168.10.11 AA:BB:CC:00:00:11
tracking
Q:3214 B:184 R:12%
192.168.10.24 AA:BB:CC:00:00:24
youtube tiktok
Q:2811 B:1044 R:48%
192.168.10.40 AA:BB:CC:00:00:40
Q:4820 B:612 R:22%
192.168.10.55 AA:BB:CC:00:00:55
tracking
Q:1928 B:148 R:8%
192.168.10.60 AA:BB:CC:00:00:60
telemetry
Q:3841 B:892 R:31%
192.168.10.65 AA:BB:CC:00:00:65
telemetry tracking
Q:2218 B:710 R:35%
192.168.10.100 AA:BB:CC:00:01:00
facebook instagram
Q:841 B:312 R:44%
192.168.10.8 AA:BB:CC:00:00:08
Q:420 B:8 R:2%
DNS Policies Create profiles, assign them to clients, and manage service/schedule metadata.
Defaultallow
Familyallow
IoTallow
Guestblock
Family Schedule Enforced every minute by nft for clients assigned to the Family policy.
Blocked Services ON = globally blocked for all clients. OFF = available for per-policy/client assignment only.

Youtube
3 domains

youtube.comgooglevideo.comytimg.com

Tiktok
2 domains

tiktok.comtiktokcdn.com

Tracking
2 domains

telemetry.example.commetrics.example.net

Console Games (custom)

psn.examplexbox.example
Safe Search Engines DNS rewrites used by policies.

Googlerewrite

google.com -> forcesafesearch.google.com

Bingrewrite

bing.com -> strict.bing.com
DNS Groups
Kids
ID 1 | 1 clients | 2 rules | 1 lists

Clients

kids-tablet

Rules

#1 *.ads.example#2 telemetry.example.com

Lists

HaGeZi Multi Ultimate

Danger Zone

DNS Access Control
IDTypeValueCommentEnabled
1 allowed_client 192.168.10.0/24 LAN ✓
2 blocked_host doh.example.com DoH bypass ✓
Local DNS5 records, 3 rewrites
nas.lan
ATTL 60
192.168.10.8
NAS
gateway.lan
ATTL 60
192.168.10.1
Gateway
printer.lan
ATTL 120
192.168.10.15
Office printer
camera.lan
ATTL 60
192.168.10.110
IP camera
ntp.lan
ATTL 3600
192.168.10.1
NTP server
DNS Rewrites
gateway.lan A
gateway.lan 192.168.10.1
safe-search.google.com CNAME
safe-search.google.com forcesafesearch.google.com
bing.com CNAME
bing.com strict.bing.com
Upstream DNS Servers
AddressProtocolDomainPriority
1.1.1.1udp—100
9.9.9.9tlsquad9.net110
1.0.0.1udp—120
8.8.8.8udp—200
DNS Settings
DHCP Server7 leases, 1 scopes, 3 static
ON
Active Leases
7
Connected
Scopes
1
DHCP pools
Static Leases
3
Reservations
DHCP
ON
Running
DHCP Scopes 1 configured
NameInterfaceSubnetRange StartRange EndGatewayDNSDomainLeaseStatus
LAN lan0 192.168.10.0/24 192.168.10.50 192.168.10.250 192.168.10.1 192.168.10.1 lan 43200s ON
Active Leases 7 total
IPMACHostnameStateSource
192.168.10.11 AA:BB:CC:00:00:11 office-laptop active dnsmasq
192.168.10.24 AA:BB:CC:00:00:24 kids-tablet active dnsmasq
192.168.10.40 AA:BB:CC:00:00:40 media-tv active dnsmasq
192.168.10.55 AA:BB:CC:00:00:55 iphone-ev active dnsmasq
192.168.10.60 AA:BB:CC:00:00:60 smart-tv-living active dnsmasq
192.168.10.65 AA:BB:CC:00:00:65 smart-speaker active dnsmasq
192.168.10.100 AA:BB:CC:00:01:00 guest-phone active dnsmasq
Static Leases 3 reservations
MACIPHostnameComment
AA:BB:CC:00:00:08 192.168.10.8 nas Storage
AA:BB:CC:00:00:15 192.168.10.15 printer Office Printer
AA:BB:CC:00:00:1A 192.168.10.110 camera IP Camera
DHCP Options 3 configured
ScopeCodeNameValueTypeEnabled
Global 6 DNS Servers 192.168.10.1 ips ON
Global 3 Router 192.168.10.1 ips ON
Global 15 Domain Name lan string ON
DHCP Safety Checks

Before enabling DHCP on an interface, verify these checks:

1. No conflicting DHCP server

Detect existing DHCP servers on the network.

2. Validate Scope Config

Check that range, gateway, and subnet are valid and non-overlapping.

3. Never on WAN

Do not enable DHCP on the WAN interface — this can break your network.

⚠ Danger Zone

Write DHCP config and reload dnsmasq. This will restart the DNS/DHCP server.

Hostname Rules Track devices by hostname, auto-resolve IPs, apply DNS policies & firewall rules
HostnameResolved IPTypeFirewallDNS PolicyStatusLast ResolvedComment
kids-tablet 192.168.10.24 both block Family 2026-05-21 07:30:00 Block kids tablet internet at night
smart-tv-living 192.168.10.60 dns IoT 2026-05-21 07:30:00 Apply IoT policy to smart TV
guest-phone 192.168.10.100 firewall allow 2026-05-21 07:28:00 Guest phone always allowed
media-tv 192.168.10.40 both block Default 2026-05-21 06:00:00 Restrict media TV
Tracked Clients DNS clients with hostname tracking enabled
NameHostnameCurrent IPFirewallRule Exists
kids-tablet kids-tablet 192.168.10.24 block Yes
smart-tv-living smart-tv-living 192.168.10.60 off Yes
guest-phone guest-phone 192.168.10.100 allow Yes
🌙