PiHoleLists

PiHoleStreamingLists.md

FYI (July 24, 2025): I've been away since July 11, dealing with an emergency move. I'll be back working on all the amazing comments y'all have been putting down, most possibly by the first weekend of August. I appreciate all the contributions everybody has been making and all the time everybody has put to make all of our lives better.

Streaming Whitelists and Blacklists for PiHole

Last Updated On:           July 10, 2025
Last Updated Platform:     Peacock

Table of Contents

• Roku
• Peacock
• Paramount+
• Disney+

Roku

Do not block (or whitelist if blocked) for functionality (Only block these if you know what you're doing)

• roku.com, rokutime.com, and therokuchannel.roku.com : for obvious reasons.
• api.roku.com and api.rokutime.com : System functionality.
• retail.rpay.roku.com and api.rpay.roku.com : Payment api.
• image.roku.com : Checking internet connectivity by the app.

"The Roku Channel" related domains. (Block these only if you don't use "The Roku Channel")

• configsvc.sc.roku.com and keysvc.sc.roku.com : Channel functionality.
• content.sr.roku.com, content-detail.sr.roku.com, and playback-detail.sr.roku.com : Loading Content
• images.sr.roku.com : Loading video images
• api2.sr.roku.com : Channel api that delivers videos.
• vod.delivery.roku.com, and vod-playlist.sr.roku.com : Loading the video content.
• rights-manager.sr.roku.com and wv-license.sr.roku.com : Availability and access to content.
• static-delivery.sr.roku.com : Subtitles.
• bookmarks.sr.roku.com : Remembering the last location on a video.
• navigation.sr.roku.com and images-svc.sr.roku.com : Unknown, still being tested.

IMPORTANT: If "The Roku Channel" is having issues loading content try whitelisting the following. Still needs testing.

tis.cti.roku.com
ls.cti.roku.com

If you don't use The Roku Channel app you're welcome to block all these with the following regex.

^[^.]+\.(sr|sc)\.roku.com$

Block list RegEx

The exact presence of logs,ads, web, cti, voice, or prod.mobile.

^(([^.]+\.)*(logs|ads|web|prod\.mobile|cti|voice)(\.[^.]+)*\.)roku\.com$

I found some names (sometimes with characters before or after them).

^(([^.]+\.)*[^.]*(amarillo|amoeba|austin|benjamin|bryan|camden|cooper|copper|digdug|external|giga|gilbert|griffin|hereford|lb|liberty|littlefield|longview|madison|marlin|midland|paolo|richmond|rollingwood|scribe|sugarland|tyler|victoria|windsor)[^.]*(\.[^.]+)*\.))roku\.com$

Next, I found some queries starting with some words and decided that I didn't want them.

^((captive|cloudservices|wwwimg)\.)roku\.com$

Some .sr.roku.com addresses combined together:

^((bif|microsites|traces|track|userdata)\.sr\.)roku\.com$

ravm.tv queries, I captured all with:

^([^.]+\.)*ravm\.tv$

Individual domains that don't fit a pattern, can be added as exact domains:

lat-services.api.data.roku.com
roku.admeasurement.com

Bonus: Overkill for admeasurement:

^([^.]+\.)*roku([^.]+\.)*\.admeasurement([^.]+\.)*\.com$

Peacock

Around Jan 7, 2025 Peacock started showing ads on Roku devices. The culprit in my server was f701e91aabed43fa8064e91da398bfbc.mediatailor.us-east-1.amazonaws.com . I assume different regions would have different strings, and the first random part can change.

July 4, 2025 Update: The current settings mostly work without ads, except the videos don't start where they're left off, but they start from the beginning of the content.

Whitelist

Type	Domain	Note
Exact	mytv.clients.peacocktv.com	Account access
Exact	bff-ext.clients.peacocktv.com	Account access
Exact	imageservice.disco.peacocktv.com	Content images
Exact	play.ovp.peacocktv.com	Content loading
RegEx	g[^.]+-vod-us-cmaf-prd-mc.cdn.peacocktv.com	Video loading
Exact	atom.peacocktv.com	Under consideration
Exact	cybertron.id.peacocktv.com	Under consideration
Exact	meg.disco.peacocktv.com	Under consideration
Exact	ovp.peacocktv.com	Under consideration
Exact	pconfig-prd.cdn.peacocktv.com	Under consideration

Blacklist

Type	Domain	Note
Exact	mt.ssai.peacocktv.com	Use this for now
RegEx	g[^.]+-vod-us-cmaf-prd-[^.]+.cdn.peacocktv.com	Ads load through various links

**Important:** Use this with caution, someone reported it blocked their Amazon Echo devices. Needs confirmation.

Paramount+

Paramount+ settings and how they deliver content and ads change often. This list has been stable in Roku for some time now. Browser hasn't been stable. Under a moderate to aggressive system, Paramount+ (even no ad version) tends to not work. If you're having issues with Paramount+, check your Query Logs and try whitelisting and blacklisting domains appear there.

Whitelist

These domains are needed for functinality of the service.

Type	Domain	Function
Exact	saa.paramountplus.com	Main
Exact	saa.cbsi.com	Main
Exact	vod-gcs-cedexis.cbsaavideo.com	Loads the video
Exact	cbsinteractive.hb.omtrdc.net	Loads the video
Exact	cbsi.live.ott.irdeto.com	Loads the video
Exact	tags.tiqcdn.com	Last location
Exact	wwwimage-us.pplusstatic.com	Image loading
Exact	wwwimage-secure.cbsstatic.com	Image loading
Exact	thumbnails.cbsig.net	Image loading
Exact	bakery.pplus.paramount.tech	Mobile App
RegEx	^[^.]+\.cws\.conviva\.com$	Video loading

Blacklist

Most other domains can be blocked. These might be missed by pihole, or might be whitelisted in the past for one reason or another. There are other domains that can be blocked. Here are some examples. (I'll be working on a combination of exact and regex blocking solution)

Type	Domain	Notes
Exact	imasdk.googleapis.com	Might be needed for loading on PC (needs testing)
Exact	enduser.adsrvr.org
Exact	cdn.privacy.paramount.com
Exact	www.googletagmanager.com
Exact	pagead2.googlesyndication.com
Exact	www.googletagmanager.com
Exact	availability-fastly.syncbak-mediastore-cedexis.cbsaavideo.com
Exact	cbsi.demdex.net
Exact	vod-gcs-qwilt.cbsaavideo.com
Exact	vod-gcs-google.cbsaavideo.com

Note: If you use unbound for DNS resolution, enabling DNSSEC will block access to Paramount+ from the browser. Roku still works.

Disney+

Try adding this to regex list. (Not tested thoroughly, any input is welcome)

^([^.]+\.)*disneyadvertising\.com$ 

id like to help you with peacock. i too saw mediatailor on an app but blocking media tailor completely broke live tv. so here's a better solution its mt.ssai.peacocktv.com its mediatailor but peacocks version of it. that stopped ads for AdGuard users. see here; AdguardTeam/AdguardFilters#196118 (comment)

@jordansworld Thanks for this! Added and currently testing on my end. Will make the change permanent in a couple of days.

It appears my last video watched is no longer being kept in Paramount Plus.

@junbug178 I don't have this issue; I still have the last watched kept as long as Paramount+ works. However, Paramount+ is the most problematic platform on my end due to constant problems with Unbound. I can only make it work for a specific period of time before DNS resolution becomes impossible. I can only get it to work after restarting the Unbound service, DNS resolver on PiHole, and Roku. I also can't watch it on PC; any help on that end would be welcome.

id like to help you with peacock. i too saw mediatailor on an app but blocking media tailor completely broke live tv. so here's a better solution its mt.ssai.peacocktv.com its mediatailor but peacocks version of it. that stopped ads for AdGuard users. see here; AdguardTeam/AdguardFilters#196118 (comment)

@jordansworld Thanks for this! Added and currently testing on my end. Will make the change permanent in a couple of days.

no problem! glad it works

It appears my last video watched is no longer being kept in Paramount Plus.

I had that problem a while ago. My fix was to whitelist tags.tiqcdn.com

For peacock, I discovered my ads were being served from a domain prefixed with g006 instead of g008. I updates the relevant rules to:

||g*-vod-us-cmaf-prd-*.cdn.peacocktv.com
@@||g*-vod-us-cmaf-prd-mc.cdn.peacocktv.com

@alechouse97 Made the edits! Thanks for the contribution.

Happy to help! I opened a feature request in the Adguardhome filters repo (which is what I use) and credited your list. Hope this fix keeps working!

After several days of debugging I've been able to get a regex block in place to make it a little easier for everyone. This is what I'm using currently to capture the numerous servers in Peacocks CDN. It works off the above regex block using g008.
g\d{3}-vod-us-cmaf-prd-[a-zA-Z]{2}-[^.]+.cdn.peacocktv.com
g\d{3}-vod-us-cmaf-prd-[a-zA-Z]{2}.cdn.peacocktv.com I added this as a regex deny because if the content isn't coming from the mc prod server as stated above ads get through.
g\d{3}-sf-us-cmaf-prd-[a-zA-Z]{2}-[^.]+.cdn.peacocktv.com I also noticed this morning a new set of servers being served through Peacock. I hope this helps someone. When you figure out the other servers under consideration please update. Everyone once in awhile a set of ads will pop up and one of those domains is in the logs. I haven't narrowed anything down just yet but wanted to provide my insight. I've been banging my head on this for the better part of a week.

Paramount + worked great. Thanks for the help.

I can't get around the ads on Paramount+ (on Roku) anymore without blocking video entirely. I've tried a whole slew of things that others have suggested to no avail. The only way I can get video to play is by whitelisting pubads.g.doubleclick.net but that brings back ads.

I can't get around the ads on Paramount+ (on Roku) anymore without blocking video entirely. I've tried a whole slew of things that others have suggested to no avail. The only way I can get video to play is by whitelisting pubads.g.doubleclick.net but that brings back ads.

I'm in the same situation. But once it has shown ads on one episode then it'll happily load more episodes without ads. So I disable the PiHole for 30 seconds, start the first episode, accept that I've got to watch ads, then the second episode starts and… no ads! It's a pain, but better than all of the awful cuts to an increasing number of gambling ads.

This is a list I was using that blocked many streaming service ads, including Peacock until recently. It blocks Paramount+ ads perfectly fine. I did have to whitelist some Hulu domains, otherwise the videos wouldn't play. I only use TV, iOS and MacOS.

https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV.txt

So I did the Peacock blocks and my Apple TV 4K can load but all of my other devices will not load. I have a Windows PC, iPhone 16 Pro Max, and a Samsung Tab S9+. I am getting the Error code CVF_20 :- 1000 :- 1000)

Peacock was working for awhile but I think this week they pushed out an update that made it stop. Let me know if I should do anything.

I've not found a combination of rules that works on Paramount+ in the UK yet. The "second episode doesn't have ads" behaviour seems to have stopped (or at least is far less consistent), it now occasionally hangs just before going to an ad break, and even @SirGc's list is either blocking videos loading entirely or I whitelist a subset and the video starts but with adverts.

So I did the Peacock blocks and my Apple TV 4K can load but all of my other devices will not load. I have a Windows PC, iPhone 16 Pro Max, and a Samsung Tab S9+. I am getting the Error code CVF_20 :- 1000 :- 1000)

Peacock was working for awhile but I think this week they pushed out an update that made it stop. Let me know if I should do anything.

Yes, there are additional domains in the mix to whitelist now depending on the content you are trying to watch. Look in your logs for *.g00X-sf-us-cmaf-prd-fy, *.g00X-sle-us-cmaf-prd-mc, and *.g00X-sle-us-cmaf-prd-fy related entries being blocked. (X=1-9)

Here's some information I've gleaned for Peacock TV through my testing:

atom.peacocktv.com - Needed for program info pages
tv.clients.peacocktv.com - needed to launch Peacock TV app
play.clients.peacocktv.com - needed to play main video programs
mytv.clients.peacocktv.com - Needed for My Stuff and season progress tracking
xtv.clients.peacocktv.com - unknown

None of these seemed to have any effect on the ads, so I don't think any of these "clients" hosts should be blocked.

Some more Peacock information:

Functions
sf - don't know what 'sf' means, but it's used for trailers (with fallback) and extra content
vod - video on-demand, main video program (with fallback), and it seems like ads (no fallback) are now being served inline from these servers
sle - unknown, I've not actually seen this one in my usage

CDNs
ak - Akamai
fy - Fastly
cf - CloudFront (Amazon)
mc - Media CDN (Google)

Actual deployment
sf-ak - Trailers (round-robin)
sf-fy - Trailers (round-robin) and Extras
vod-mc - main content (primary) and inline ads (round-robin)
vod-fy - main content (secondary) and inline ads (round-robin)

The above is as best as I can figure. I think this is what happens every time a user starts playback of a video:

1. User clicks a video to start playback
2. Peacock fetches ad info in round-robin fashion from one of the vod servers, but there is no fallback behavior so if the vod server selected is blocked, ad load fails
3. Starts playback of the main content from the primary vod server, and falls back to the secondary server if necessary.

You can't block both vod servers because then your main content won't play. But if you block just one vod server (either), then that means your main content will always play (because it has fallback), and ad info loading will be blocked about half the time (because it doesn't fallback).

So, if your video content loads with ad info, then just back out and try playing it again, until you get a load where the ad info is blocked. At least that's the explanation that makes sense to fit the behavior I saw in my extensive testing.

A single Regex Deny entry for one vod server, like the following, should have the effect described above, without the need for any additional or more complex entries:
g\d+-vod-us-cmaf-prd-fy\.cdn\.peacocktv\.com

It doesn't look like the "sf" servers need to be blocked, since they don't appear to be involved in the ad loading. Having them enabled or disabled had no effect on the ad loads.

@tabanger

I tried just blocking the vod-fy domain like you suggested, but I was seeing ads with this. I think there are (at least) 4 vod servers based on what I have seen in the logs:

g*-vod-us-cmaf-prd-sf.cdn.peacocktv.com
g*-vod-us-cmaf-prd-ak.cdn.peacocktv.com
g*-vod-us-cmaf-prd-cf.cdn.peacocktv.com
g*-vod-us-cmaf-prd-mc.cdn.peacocktv.com

I've had the best luck blocking all but one of these. My working idea is that they don't serve the adds and the main content from the same server at the same time. They maybe first load in the main content, and then reach out to another server for the ads, but then that is blocked?

Strangely, sometimes the content will start with ads, but backing out and relaunching the show a couple of times will eventually work.

@alechouse97, yes, as I mentioned, you will still see ads, but you just have to back out and try again. There seems to be no way to block them completely using just pihole, since they are now served from the same servers as the main content.

It looks like people might get some different "vod" servers, based on where they are geographically. I never saw any vod-ak servers, but I saw a comment on Reddit from someone who did. So, a better general approach would be to block ALL "vod" servers, and then whitelist just one vod server that you see in your query logs. For example, whitelisting just "vod-ak" would not work for me, because my client never tries to connect to that one. I would have to choose either "vod-mc" or "vod-fy" because those are the ones that show up in my logs.

Regex deny
g\d+-vod-us-cmaf-prd-[a-z]+\.cdn\.peacocktv\.com

Regex allow (just one entry)
g\d+-vod-us-cmaf-prd-ZZ\.cdn\.peacocktv\.com where ZZ is either mc, fy, ak, or sf, depending on what you see appearing in your query logs.

I followed the recommendations from @tabanger. I was still getting ads, so I saw this domain pop up a lot when the ads started. I blocked it exactly. So far no ads. I'm not sure if this is a regional ad server or not though.

cdn.nbc-pk-sle-prd-01.top.comcast.net

What a fantastic list! I came here off the back of a reddit psot with paramount+

I added all the black and white list filters (ublock origin) but IF I block cdn.privacy.paramount.com the video doesn't load in the Firefox browser.

IF I remove it. Ads are still there. Anyone else experienced this too?

Hello @SirGc & @tabanger , thanks for continuing this work for peacock. I put in all of the things you have suggested, including the regex and the exact Denys, but am still getting the ads. Will help any additional suggestions, if any! Thank you

I had to add these rules to get Peacock working ad-free:

• ^g[0-9]+-[a-z0-9]+-us-cmaf-prd-[a-z0-9-]+\.cdn\.peacocktv\.com$
• ^g[0-9]+-[a-z0-9]+-us-cmaf-prd-[a-z0-9-]+\.prd\.pck\.netskrt\.net$

I had to add these rules to get Peacock working ad-free:

• ^g[0-9]+-[a-z0-9]+-us-cmaf-prd-[a-z0-9-]+\.cdn\.peacocktv\.com$
• ^g[0-9]+-[a-z0-9]+-us-cmaf-prd-[a-z0-9-]+\.prd\.pck\.netskrt\.net$

Thank you @MasonFlint44 , to confirm, I will add these as regex deny correct?

Hello thanks for the suggestions. Unfortunately i tried just now on my apple tv but it seems to either error out and not play at all or show all ads. I wonder if location matters ? I am in ny. Thanks

…

On Thu, Sep 25, 2025 at 10:37 AM kkl ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ This is what's currently working for me 100% for Peacock. No ads and no blocked content. RD=Regex deny, RA=Regex allow, ED=Exact deny, EA=Exact allow RD: [^.]+.mediatailor.[^.]+.amazonaws.com RD: ^g[0-9]+-[a-z]+-us-cmaf-prd-(ak|ak-a[0-9]+|fy|cf).cdn.peacocktv.com$ RA: ^g[0-9]+-[a-z]+-us-cmaf-prd-mc.cdn.peacocktv.com$ ED: xtv.clients.peacocktv.com ED: nbcstreaming.hb.omtrdc.net EA: g004-vod-us-cmaf-prd-cf.cdn.peacocktv.com ED: ingest.webcol.sdp.peacocktv.com ED: throttled.ovp.peacocktv.com EA: g006-vod-us-cmaf-prd-cf.cdn.peacocktv.com ED: g006-vod-us-cmaf-prd-mc.cdn.peacocktv.com ED: cybertron.id.a.peacocktv.com EA: g003-vod-us-cmaf-prd-ak.cdn.peacocktv.com EA: g003-vod-us-cmaf-prd-ak-a391.cdn.peacocktv.com EA: g003-vod-us-cmaf-prd-ak-a179.cdn.peacocktv.com ED: g003-vod-us-cmaf-prd-ak-a273.cdn.peacocktv.com ED: g006-vod-us-cmaf-prd-ns.prd.pck.netskrt.net ED: log-api.dualstack.nr-data.net — Reply to this email directly, view it on GitHub <https://gist.github.com/ozankiratli/801ba17705e7f2a904d2e443af5a64f8#gistcomment-5774138> or unsubscribe <https://github.com/notifications/unsubscribe-auth/AIUBQEAM57CVSYCSXAITD5D3UP42FBFKMF2HI4TJMJ2XIZLTSOBKK5TBNR2WLKBYGQYDSMBXGIZKI3TBNVS2QYLDORXXEX3JMSBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVEYTGNJWGM4DKMZQU52HE2LHM5SXFJTDOJSWC5DF> . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

I had to add these rules to get Peacock working ad-free:

* `^g[0-9]+-[a-z0-9]+-us-cmaf-prd-[a-z0-9-]+\.cdn\.peacocktv\.com$`

* `^g[0-9]+-[a-z0-9]+-us-cmaf-prd-[a-z0-9-]+\.prd\.pck\.netskrt\.net$`

Thank you for this, worked like a charm.

I had to add these rules to get Peacock working ad-free:

* `^g[0-9]+-[a-z0-9]+-us-cmaf-prd-[a-z0-9-]+\.cdn\.peacocktv\.com$`

* `^g[0-9]+-[a-z0-9]+-us-cmaf-prd-[a-z0-9-]+\.prd\.pck\.netskrt\.net$`

Thanks @MasonFlint44 , I was trying to create something similar but couldn't quite get the syntax correct. Works great!

Has anyone been able to confirm the necessity of the following domains for Peacock and their functionality?
cybertron.id.peacocktv.com
meg.disco.peacocktv.com
ovp.peacocktv.com
pconfig-prd.cdn.peacocktv.com

I had to add these rules to get Peacock working ad-free:

* `^g[0-9]+-[a-z0-9]+-us-cmaf-prd-[a-z0-9-]+\.cdn\.peacocktv\.com$`

* `^g[0-9]+-[a-z0-9]+-us-cmaf-prd-[a-z0-9-]+\.prd\.pck\.netskrt\.net$`

Thanks @MasonFlint44 , I was trying to create something similar but couldn't quite get the syntax correct. Works great!

@MasonFlint44 Thank you for these! They were super helpful. I am using my Xbox for Peacock, and this pattern: ^g[0-9]+-[a-z0-9]+-us-cmaf-prd-[a-z0-9-]+\.cdn\.peacocktv\.com$ blocked playback for me on my Xbox as of Oct. 14th, 2025, but pattern ^g[0-9]+-[a-z0-9]+-us-cmaf-prd-[a-z0-9-]+\.prd\.pck\.netskrt\.net$ worked perfectly in helping block those domains.

From my logs I found that ads and playback segments come from different suffixes ad/control clusters (cf, cc, ns, etc.) vs. main content (mc).

So, to preserve playback while blocking ads, this combo worked best:

• ^g\d{3}-vod-us-cmaf-prd-(cf|cc|ns|sf|ph|dc|at)(?:-[a-z0-9-]+)?\.cdn\.peacocktv\.com$
• ^g[0-9]+-[a-z0-9]+-us-cmaf-prd-[a-z0-9-]+\.prd\.pck\.netskrt\.net$

On newer mobile devices though, Peacock has switched to a unified CDN (cdn.nbc-pk-vod-prd-XX.top.comcast.net), so DNS-level blocking no longer works there since ads and content come from the same host.

Hope this helps!

@frostywiz could you clarify if these rules are whitelist or blacklist?