Skip to content
MKController Blog
InstagramYouTubeFacebook

Tutorial

Block Ads on MikroTik with AdList

Block ads at the DNS layer on MikroTik routers with the native AdList feature in RouterOS v7.15+ — no Pi-hole or extra hardware needed.

MKController5 min read

Summary MikroTik AdList (RouterOS v7.15+) blocks advertisements at the DNS layer for every device on the LAN, no Pi-hole and no extra hardware required. This guide covers the prerequisites, public and custom blocklist setup, testing, whitelisting, and the limitations to expect (in-app and YouTube video ads are out of scope for DNS-based filtering).

Why use AdList instead of Pi-hole?

AdList is MikroTik’s built-in DNS-based ad blocker. Unlike a Pi-hole container, AdList runs natively on RouterOS and needs no separate device, container runtime, or DNS reconfiguration. Once enabled, it filters queries to known ad servers (A and AAAA records) by returning 0.0.0.0 instead of the real IP. Every phone, TV, console, and IoT device on the LAN inherits the block as long as it uses the MikroTik for DNS.

Compared with running Pi-hole, AdList wins on three operational dimensions: setup is one panel inside IP → DNS rather than provisioning a separate host; updates ride along with RouterOS upgrades rather than a parallel apt cycle; and there’s one fewer single point of failure on the network. The trade-off is RAM — large lists consume cache space, so you may need to bump it.

Prepare the router

Two prerequisites have to be in place before AdList is useful:

Update to RouterOS v7.15 or newer. AdList shipped in v7.15. Go to System → Packages → Check for updates and install the latest stable. Older releases simply do not expose the /ip dns adlist path.

Increase the DNS cache size. Adlists live inside the DNS cache; the default cache size is too small for any meaningful list and produces adlist read: max cache size reached errors. In IP → DNS, raise Cache size to a value large enough to hold your lists — for a router with 128 MB RAM running one or two lists, 30–40 MB is a reasonable target.

/ip/dns set cache-size=40000
MikroTik IP DNS panel with cache-size set to 40 MB

Make sure Allow Remote Requests is enabled so LAN devices can query the router for DNS.

Add a public adlist

Public blocklists like StevenBlack’s hosts file give you broad ad and tracker coverage on day one. Under IP → DNS → Adlist, click +, paste the list URL, and disable SSL Verify unless you have already imported the certificate authority. The list will appear with a match count and name count once parsed.

CLI equivalent:

/ip/dns/adlist add \
    url=https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts \
    ssl-verify=no

To check how many domains loaded and how many queries have been blocked:

/ip/dns/adlist/print

match-count is blocked queries; name-count is the number of entries the list contains.

RouterOS terminal showing /ip/dns/adlist/print output with match-count and name-count

Whitelisting and forwarders

Sometimes a domain you actually want is on a public blocklist. Add a static forward entry to bypass AdList for that specific name:

/ip/dns/static add name=example.com type=FWD

Forwarders also let you define upstream resolvers (Quad9, Cloudflare) for specific domains. Define the forwarder pool first, then point static entries at it:

/ip/dns/forwarders add dns-servers=1.1.1.1,8.8.8.8 name=my-fwd
/ip/dns/static add name=example.com type=FWD forward-to=my-fwd

Create and import a custom blocklist

For more control, build your own list. Each line uses 0.0.0.0 domain:

0.0.0.0 adverts.com
0.0.0.0 click.adclick.com
0.0.0.0 malware-site.com
0.0.0.0 fraud.scam.com

Create or upload the file on RouterOS:

/file/add name=adbl.txt
/file/edit adbl.txt contents

Enter the domain list and press Ctrl-O to save, then attach it to AdList:

/ip/dns/adlist add file=adbl.txt

Confirm the file parsed by checking name-count via /ip/dns/adlist/print.

RouterOS custom adlist file loaded with name-count visible

Test and troubleshoot

Flush the DNS cache on a client and look up a known ad domain:

ipconfig /flushdns
nslookup someadserver.com

The answer should come back 0.0.0.0 instead of the real IP.

nslookup result showing 0.0.0.0 for a blocked ad domain

Monitor match-count over time to see whether the list is doing useful work. If you see adlist read: max cache size reached, raise the cache size or drop a list. For deeper DNS hardening to pair with this, see our guides to configuring DNS over HTTPS and to blocking traffic to a country.

Maintenance and limitations

  • Automatic updates. RouterOS refreshes adlists every four hours. Manual reload via /ip/dns/adlist/reload is available but rarely needed.
  • Memory budget. Large lists eat RAM. Match the number and size of lists to the device’s free memory; an hAP ac² has very different headroom than an RB5009.
  • DNS-only blocking. AdList cannot block ads served from the same host as the content (YouTube video ads in particular). Pair it with a browser extension if those bother you.
  • DoH/DoT bypass. Clients with their own DoH or DoT resolvers bypass the router’s DNS entirely. Block outbound DNS to anywhere but the router with a firewall rule to enforce the policy.

Scale ad blocking across every site

Maintaining AdList on one router is easy. Maintaining it across a fleet — with custom whitelists per customer, list size budgets per device model, and the inevitable drift between sites — is harder than people expect.

MKController pushes the same AdList configuration, custom lists, and forwarder rules to every MikroTik in your inventory in one operation. When match-count falls off a cliff or max cache size errors start appearing in the log, the dashboard surfaces the affected devices so you can fix them before customers notice.

Start your free MKController trial