Block Ads on MikroTik with AdList
Summary
MikroTik’s AdList feature (RouterOS v7.15+) lets you block advertisements at the DNS level across your entire network. This guide explains why it works, how to prepare your router, add public and custom blocklists, test your configuration, whitelist domains and understand limitations.
Why use AdList instead of Pi‑hole?
The AdList feature is MikroTik’s built-in DNS‑based ad blocker. Unlike a Pi‑hole container, AdList runs natively on RouterOS and requires no extra hardware or containerization. Once enabled, it filters requests to known ad servers (A and AAAA records) by returning 0.0.0.0 instead of the real IP address.
Advantages over Pi‑hole:
- Simple setup. Add blocklists and it starts working immediately.
- No container. No need to enable containerization or maintain an external Pi‑hole server.
- Integrated DNS. Uses RouterOS’s built‑in DNS resolver, so you don’t need to change your router’s DNS settings.
- Broad compatibility. Works on all MikroTik routers running RouterOS v7.15 or newer.
Because AdList modifies DNS responses, it can block ads across smartphones, TVs, and IoT devices that respect network DNS settings. Keep in mind that this type of blocking cannot stop YouTube video ads or similar in‑app ads.
Prepare your router
Before adding blocklists, update your router to the latest RouterOS v7 release. AdList is available on v7.15 and higher【263718328550380†L40-L41】. To upgrade, go to System → Packages → Check for updates and install the latest stable version.
Increase DNS cache size
Adlists are stored inside the DNS cache; a small cache will produce “max cache size reached” errors. In IP → DNS, set the Cache size large enough to hold your lists. For example, a router with 128 MB RAM running one or two lists should set the cache to around 30–40 MB. You can do this through WinBox or via CLI:
/ip/dns set cache-size=40000
Ensure Allow Remote Requests is enabled so your router responds to DNS queries from the LAN.
--- [to separe files]
Add a public adlist
You can import popular blocklists such as the StevenBlack hosts file. In WinBox, go to IP → DNS → Adlist and click +. Paste the list URL (e.g. https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts) and disable SSL Verify unless you have imported the certificate authority. The list will appear with a match count and name count once processed.
CLI equivalent:
/ip/dns/adlist add \ url=https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts \ ssl-verify=noTo see how many domains are loaded and matched, run:
/ip/dns/adlist/printThis prints the match-count (blocked queries) and name-count (entries in the list).
Whitelisting and forwarders
Sometimes you need to allow a specific domain that appears on your blocklist. Create a static forward entry to bypass the adlist. For example:
/ip/dns/static add name=example.com type=FWDThis forwards queries for example.com to the next DNS server【702850675801765†L430-L435】. Forwarders also let you define upstream resolvers (e.g. Quad9, Cloudflare). Use /ip dns forwarders add dns-servers=1.1.1.1,8.8.8.8 name=my-fwd and then set static entries to forward-to=my-fwd.
--- [to separe files]
Create and import your own blocklist
For more control, create a custom text file containing domains you want to block. Each line uses the format 0.0.0.0 domain. For example:
0.0.0.0 adverts.com0.0.0.0 click.adclick.com0.0.0.0 malware-site.com0.0.0.0 fraud.scam.comUpload or create the file directly on RouterOS using the following commands:
/file/add name=adbl.txt/file/edit adbl.txt contentsEnter the domain list and press Ctrl‑O to save. Then add it to your DNS adlists:
/ip/dns/adlist add file=adbl.txtYou can confirm the file has been parsed by checking the name-count via /ip/dns/adlist/print.
Test and troubleshoot
Verify DNS responses
After setting up adlists, flush the DNS cache on a client machine and perform DNS lookups. On Windows, run ipconfig /flushdns and then nslookup someadserver.com. The query should return 0.0.0.0 or 127.0.0.1 instead of the real IP address.
Check matches and cache usage
Monitor match-count to see how many ad requests are being blocked. If you see adlist read: max cache size reached errors, increase your DNS cache size or remove large lists【702850675801765†L400-L405】. Remember that lists are stored in internal memory, so ensure your router has sufficient free space.
Maintenance and limitations
- Automatic updates. Adlist entries update automatically; RouterOS checks for new list updates every four hours. You can also issue a reload manually using
/ip/dns/adlist/reloadbut it’s usually not necessary. - Memory usage. Large blocklists consume RAM and storage. Avoid adding more lists than your router can handle.
- DNS-only blocking. Because AdList works at the DNS layer, it cannot block ads served from the same host as the video stream (e.g. YouTube). Browser extensions or Pi‑hole may still be needed for in‑app or YouTube ads.
- Network configuration. Ensure all devices on your network use the router’s IP address as their DNS server. Clients using DoH/DoT (DNS over HTTPS/TLS) may bypass your ad blocking; consider firewall rules to force DNS traffic through your router.
About MKController
Hope the insights above helped you navigate your Mikrotik and Internet universe a little better! 🚀
Whether you’re fine-tuning configs or just trying to bring some order to the network madness, MKController is here to make your life simpler.
With centralized cloud management, automated security updates, and a dashboard that anyone can master, we’ve got what it takes to upgrade your operation.
👉 Start your free 7-day trial now at mkcontroller.com — and see what effortless network control really looks like.