DNS Filtering & Firewall
Aegis DNS
DNS firewall with ad-blocking, parental controls, per-client policies, and real-time query analytics.
Running · 47d 12h
Queries 1h
3842
Last hour
Blocked 1h
914
Filtered
Rules
164228
Active filters
Lists
7/9
Blocklists
Clients
8
Devices
Total Queries
84211
Queries Blocked
18440
Percentage Blocked
21.9%
Domains on Lists
164228
Queries Over Time Permitted vs Blocked
Total Queries Over 24h Hourly trend
Client Activity Over 24h Top clients
Query Types
Upstream Servers
Period:
Top Permitted Domains 9 entries
updates.example.net
881
cdn.safe.example
542
api.push.example
398
pool.ntp.example
341
connectivity-check.example
289
metrics.example.net
204
ntp.org
188
dns.google
167
gateway.lan
142
Top Blocked Domains 8 entries
telemetry.example.com
604
ads.doubleclick.example
422
*.ads.example
388
ads.google.com
311
*.adserv.example
244
*.crashlytics.example
198
doh.cloudflare.example
167
*.malware-c2.example
89
Top Clients (Total) 8 clients
smart-tv-living
3841
media-tv
4820
office-laptop
3214
kids-tablet
2811
smart-speaker
2218
iphone-ev
1928
guest-phone
841
nas
420
Top Clients (Blocked Only)
kids-tablet
1044
smart-tv-living
892
smart-speaker
710
media-tv
612
guest-phone
312
Add Rule
Rules (showing 12 of 164228)
| Domain | Type | Action | Category | Source | Enabled | |
|---|---|---|---|---|---|---|
| wildcard | block | ads | manual | |||
| exact | block | tracking | hagezi | |||
| rewrite | rewrite | family | policy | |||
| wildcard | block | ads | hagezi | |||
| exact | block | ads | hagezi | |||
| wildcard | block | ads | oisd | |||
| exact | block | tracking | manual | |||
| wildcard | block | tracking | hagezi | |||
| exact | block | adult | oisd | |||
| wildcard | block | malware | manual | |||
| exact | block | doh | manual | |||
| rewrite | rewrite | local | manual |
Blocklist Subscriptions
HaGeZi Max seeds Ultimate, TIF, DoH bypass and native telemetry lists from the official GitHub repository. Daily auto-update at 04:17.
Ultimateadblock
Pro++domains
HaGeZi Multi Ultimate
https://example.invalid/hagezi.txt
adblock | 91442 rules | ads | Updated: 18m ago
OISD Basic
https://example.invalid/oisd.txt
hosts | 64188 rules | tracking | Updated: 21m ago
Steven Black Hosts
https://example.invalid/stevenblack.txt
hosts | 18200 rules | ads | Updated: 45m ago
Phishing Arm
https://example.invalid/phishing-arm.txt
adblock | 34200 rules | phishing | Updated: 2h ago
1Hosts Lite
https://example.invalid/1hosts-lite.txt
hosts | 12400 rules | ads | Updated: 1h ago
WindowsSpyBlocker
https://example.invalid/winspy.txt
hosts | 4820 rules | tracking | Updated: 3h ago
DNSBL Malware
https://example.invalid/dnsbl-malware.txt
adblock | 8900 rules | malware | Updated: 30m ago
| Time | Domain | Client | Type | Action | Reason / Rule | Response |
|---|---|---|---|---|---|---|
🔍 Loading queries... | ||||||
Page 1
DNS Clients (8)
| IP | MAC | Name | Track Hostname | Firewall | Policy | Blocked Services | Client DNS | DHCP Bind | Stats (24h) | |
|---|---|---|---|---|---|---|---|---|---|---|
| 192.168.10.11 | AA:BB:CC:00:00:11 |
tracking
|
Q:3214 B:184 R:12% | |||||||
| 192.168.10.24 | AA:BB:CC:00:00:24 |
youtube
tiktok
|
Q:2811 B:1044 R:48% | |||||||
| 192.168.10.40 | AA:BB:CC:00:00:40 |
|
Q:4820 B:612 R:22% | |||||||
| 192.168.10.55 | AA:BB:CC:00:00:55 |
tracking
|
Q:1928 B:148 R:8% | |||||||
| 192.168.10.60 | AA:BB:CC:00:00:60 |
telemetry
|
Q:3841 B:892 R:31% | |||||||
| 192.168.10.65 | AA:BB:CC:00:00:65 |
telemetry
tracking
|
Q:2218 B:710 R:35% | |||||||
| 192.168.10.100 | AA:BB:CC:00:01:00 |
facebook
instagram
|
Q:841 B:312 R:44% | |||||||
| 192.168.10.8 | AA:BB:CC:00:00:08 |
|
Q:420 B:8 R:2% |
DNS Policies Create profiles, assign them to clients, and manage service/schedule metadata.
Defaultallow
Familyallow
IoTallow
Guestblock
Family Schedule Enforced every minute by nft for clients assigned to the Family policy.
Blocked Services ON = globally blocked for all clients. OFF = available for per-policy/client assignment only.
Youtube
3 domains
youtube.comgooglevideo.comytimg.com
Tiktok
2 domains
tiktok.comtiktokcdn.com
Tracking
2 domains
telemetry.example.commetrics.example.net
Console Games (custom)
psn.examplexbox.example
Safe Search Engines DNS rewrites used by policies.
Googlerewrite
google.com -> forcesafesearch.google.com
Bingrewrite
bing.com -> strict.bing.com
DNS Groups
Kids
ID 1 | 1 clients | 2 rules | 1 lists
Clients
kids-tablet
Rules
#1 *.ads.example#2 telemetry.example.com
Lists
HaGeZi Multi Ultimate
Danger Zone
DNS Access Control
| ID | Type | Value | Comment | Enabled | |
|---|---|---|---|---|---|
| 1 | allowed_client | 192.168.10.0/24 | LAN | ✓ | |
| 2 | blocked_host | doh.example.com | DoH bypass | ✓ |
nas.lan
ATTL 60
192.168.10.8
NAS
gateway.lan
ATTL 60
192.168.10.1
Gateway
printer.lan
ATTL 120
192.168.10.15
Office printer
camera.lan
ATTL 60
192.168.10.110
IP camera
ntp.lan
ATTL 3600
192.168.10.1
NTP server
DNS Rewrites
gateway.lan
A
gateway.lan → 192.168.10.1
safe-search.google.com
CNAME
safe-search.google.com → forcesafesearch.google.com
bing.com
CNAME
bing.com → strict.bing.com
Upstream DNS Servers
| Address | Protocol | Domain | Priority | |
|---|---|---|---|---|
| 1.1.1.1 | udp | — | 100 | |
| 9.9.9.9 | tls | quad9.net | 110 | |
| 1.0.0.1 | udp | — | 120 | |
| 8.8.8.8 | udp | — | 200 |
DNS Settings
Active Leases
7
Connected
Scopes
1
DHCP pools
Static Leases
3
Reservations
DHCP
ON
Running
DHCP Scopes 1 configured
| Name | Interface | Subnet | Range Start | Range End | Gateway | DNS | Domain | Lease | Status | |
|---|---|---|---|---|---|---|---|---|---|---|
| LAN | lan0 | 192.168.10.0/24 | 192.168.10.50 | 192.168.10.250 | 192.168.10.1 | 192.168.10.1 | lan | 43200s | ON |
Active Leases 7 total
| IP | MAC | Hostname | State | Source | |
|---|---|---|---|---|---|
| 192.168.10.11 | AA:BB:CC:00:00:11 | office-laptop | active | dnsmasq | |
| 192.168.10.24 | AA:BB:CC:00:00:24 | kids-tablet | active | dnsmasq | |
| 192.168.10.40 | AA:BB:CC:00:00:40 | media-tv | active | dnsmasq | |
| 192.168.10.55 | AA:BB:CC:00:00:55 | iphone-ev | active | dnsmasq | |
| 192.168.10.60 | AA:BB:CC:00:00:60 | smart-tv-living | active | dnsmasq | |
| 192.168.10.65 | AA:BB:CC:00:00:65 | smart-speaker | active | dnsmasq | |
| 192.168.10.100 | AA:BB:CC:00:01:00 | guest-phone | active | dnsmasq |
Static Leases 3 reservations
| MAC | IP | Hostname | Comment | |
|---|---|---|---|---|
| AA:BB:CC:00:00:08 | 192.168.10.8 | nas | Storage | |
| AA:BB:CC:00:00:15 | 192.168.10.15 | printer | Office Printer | |
| AA:BB:CC:00:00:1A | 192.168.10.110 | camera | IP Camera |
DHCP Options 3 configured
| Scope | Code | Name | Value | Type | Enabled | |
|---|---|---|---|---|---|---|
| Global | 6 | DNS Servers | 192.168.10.1 | ips | ON | |
| Global | 3 | Router | 192.168.10.1 | ips | ON | |
| Global | 15 | Domain Name | lan | string | ON |
DHCP Safety Checks
Before enabling DHCP on an interface, verify these checks:
1. No conflicting DHCP server
Detect existing DHCP servers on the network.
2. Validate Scope Config
Check that range, gateway, and subnet are valid and non-overlapping.
3. Never on WAN
Do not enable DHCP on the WAN interface — this can break your network.
⚠ Danger Zone
Write DHCP config and reload dnsmasq. This will restart the DNS/DHCP server.
Hostname Rules Track devices by hostname, auto-resolve IPs, apply DNS policies & firewall rules
| Hostname | Resolved IP | Type | Firewall | DNS Policy | Status | Last Resolved | Comment | |
|---|---|---|---|---|---|---|---|---|
| kids-tablet | 192.168.10.24 | both | block | Family | 2026-05-21 07:30:00 | Block kids tablet internet at night | ||
| smart-tv-living | 192.168.10.60 | dns | IoT | 2026-05-21 07:30:00 | Apply IoT policy to smart TV | |||
| guest-phone | 192.168.10.100 | firewall | allow | — | 2026-05-21 07:28:00 | Guest phone always allowed | ||
| media-tv | 192.168.10.40 | both | block | Default | 2026-05-21 06:00:00 | Restrict media TV |
Tracked Clients DNS clients with hostname tracking enabled
| Name | Hostname | Current IP | Firewall | Rule Exists |
|---|---|---|---|---|
| kids-tablet | kids-tablet | 192.168.10.24 | block | Yes |
| smart-tv-living | smart-tv-living | 192.168.10.60 | off | Yes |
| guest-phone | guest-phone | 192.168.10.100 | allow | Yes |