Personally, I am a big fan of NextDNS, a DNS service that (similar to PiHole) allows you to block traffic to advertising circuits, tracking and telemetry systems.

This is why I have always been fascinated by the possibility of reproducing a similar service using free tools, in particular the gateway functionality of Cloudflare’s Zero-Trust platform.

Zero-Trust Gateway does indeed allow you to create blocking rules at the DNS level, but it has a limitation that makes it difficult to use as an adblocker: the lists can only contain 1000 entries, whereas the blocking lists used by NextDNS can usually contain up to 100,000 domains.

So I tried to put together some Python code with the following goal

  • download the blacklists
  • divide them into sets of 1000 entries and create the corresponding lists on Cloudflare, via API.
  • create a block rule and link the lists created in the previous step.

The result was lean enough to be packaged into a GitHub action to be run periodically to keep the lists up to date.


A first working draft is available on GitHub, the use is quite simple:

  1. Create a Cloudflare API token, from, with 3 permissions Account.Zero Trust : Edit Account.Account Firewall Access Rules : Edit Account.Access: Apps and Policies : Edit
  2. Get your Account ID from :
  3. Clone the repository.
  4. Configure action secrets:
    • CF_IDENTIFIER with Account ID
    • CF_API_TOKEN with API Token
  5. Modify config.ini with your preferred blocking lists
  6. Enable action

I hope it is useful!