unsubbed.co

Maza ad blocking

Released under Apache-2.0, Maza ad blocking provides local ad blocker. Like Pi-hole but local and using your operating system on self-hosted infrastructure.

Apache-2.0 Free tanrax/maza-ad-blocking · 1.9K maza-ad-blocking.andros.dev Shell 2 deploy options

Local ad blocking, honestly reviewed. No marketing fluff — just what happens when you run a shell script against your /etc/hosts file.

TL;DR

  • What it is: A Bash script that blocks ad domains by writing them to your operating system’s /etc/hosts file — system-wide, no browser extension required [README].
  • Who it’s for: Developers and power users on macOS or Linux who want ad blocking that works across every app and browser without installing anything in the browser itself [README].
  • Cost: Free. Apache-2.0 licensed. You install it in one curl command [README].
  • Key strength: It blocks ads in every browser, every app, and every terminal tool simultaneously — because it works at the OS DNS resolution layer, not inside a browser [README].
  • Key weakness: It only protects the machine it runs on. Unlike Pi-hole, it does nothing for your phone, tablet, smart TV, or any other device on the network [1]. No GUI. Requires comfort with the command line.

What is Maza ad blocking

Maza is a shell script — 100% Bash — that blocks ads by appending a large list of known ad-serving domains to your system’s /etc/hosts file, redirecting them all to 0.0.0.0. When any browser or application on your machine tries to resolve googleadservices.com, the OS intercepts the lookup before it ever hits a real DNS server and returns nothing. Connection refused. Ad dead.

The project’s own description is accurate: “Simple, native and efficient local ad blocker. Only Bash.” [README]. The word “native” is doing real work there — unlike browser extensions, which only see traffic routed through the browser, Maza blocks at the OS level. A tracking pixel embedded in your email client, a telemetry call from your IDE, a fingerprinting request inside an Electron app — all get silently swallowed if the domain is on the block list.

It hit #1 on Hacker News when it launched [README], which explains the 1,864 GitHub stars. For a shell script with no GUI, no Docker container, no database, and no web UI, that’s a meaningful signal: the pitch was clear enough and the implementation simple enough that a large technical audience said “yes, this.”

The default domain list is from Yoyo (Peter Lowe) — around 3,700 blocked domains. You can swap in Steven Black’s aggregated hosts list at 135,000+ domains, or any hosts-format URL you choose [README].

Why people choose it

The case for Maza comes down to one observation: browser extensions only protect browsers.

Most ad blockers — uBlock Origin, AdBlock Plus, Brave’s built-in blocker — are browser plugins. They intercept requests made by the browser’s network stack. Anything else on your machine bypasses them entirely. Apps that phone home, analytics in desktop software, trackers embedded in Electron wrappers, requests made by scripts running in a terminal — none of those go through a browser extension.

Maza’s approach sidesteps this entirely. Because it writes to /etc/hosts, every DNS lookup on the machine passes through it. You run sudo maza start once and every piece of software on that machine — Firefox, Chrome, Safari, curl, wget, VS Code’s telemetry, Spotify’s analytics layer — tries to resolve ad domains against a poisoned hosts file [README].

The comparison the project draws itself is Pi-hole [README], which is accurate in spirit but different in scope. Pi-hole is a network-level DNS resolver: you run it on a Raspberry Pi or small server, point your router’s DNS at it, and every device on your network gets filtered traffic. That’s more coverage but more infrastructure. Maza is the opposite trade-off: zero infrastructure (it’s a shell script), but zero network coverage. It only defends the machine it’s installed on [1][2].

The awesome-selfhosted DNS category lists Maza alongside Pi-hole (56,560 stars), AdGuard Home (33,573 stars), and blocky (6,536 stars) [2]. The star gap is instructive — Maza is a sharp tool solving a narrow problem, not a platform.

Features

The commands:

  • sudo maza update — downloads the latest domain blocklist and regenerates /etc/hosts [README]
  • sudo maza start — activates blocking [README]
  • sudo maza stop — deactivates blocking, restores hosts file [README]
  • sudo maza status — shows current state [README]

Block list management:

  • Default list: Yoyo/Peter Lowe (~3,700 domains) [README]
  • Custom list: set URL_DNS_LIST_CUSTOM in the config to any hosts-format URL — Steven Black’s aggregated list (135,000+ domains) is the commonly cited upgrade [README]
  • Ignore list: edit /root/.config/maza/ignore to whitelist domains that shouldn’t be blocked [README]
  • Custom block list: add your own domains to /root/.config/maza/custom-domains [README]

Auto-update:

  • Add @daily maza update to cron for hands-free list refreshes [README]
  • macOS users need to manually set PATH in crontab because cron runs with a stripped environment [README]

DNSMASQ integration:

  • /etc/hosts doesn’t support wildcard or subdomain matching, which means a domain like *.doubleclick.net can’t be blocked wholesale — only exact hostnames [README]
  • For subdomain blocking, Maza supports a Dnsmasq output format. You install Dnsmasq locally, configure it to use Maza’s generated file, and point your system’s DNS resolver at localhost [README]
  • The README includes a section for using this setup to create your own Pi-hole-style server — Maza as the block list generator, Dnsmasq as the resolver [README]

Platform support: macOS, Linux, BSD, Windows Subsystem for Linux. macOS requires gsed (via brew install gnu-sed) as a dependency alongside bash 4.0+ and curl [README].

Pricing: SaaS vs self-hosted math

There isn’t a SaaS version of Maza to compare against. The math here is different: it’s free tool vs browser extension subscription vs Pi-hole infrastructure.

  • Maza: $0. Apache-2.0 license. One curl command to install [README].
  • Pi-hole: $0 software + hardware (a Raspberry Pi Zero costs ~$15 one-time, or runs on any spare Linux box) [2].
  • AdGuard Home: $0 self-hosted, or AdGuard’s cloud DNS filtering service at $2.99/mo per device [2].
  • uBlock Origin: $0 (browser extension, open source) — but browser-only.
  • Commercial DNS filtering services (NextDNS, CleanBrowsing): $1.99–$9.99/mo for network-wide filtering without self-hosting hardware.

For a solo developer who wants system-wide ad blocking on their own machine and doesn’t want to spin up a DNS server: Maza is genuinely free and takes about five minutes to install. The only ongoing cost is remembering to run sudo maza update periodically (or setting up a cron job to do it automatically).

The calculus shifts if you want network-wide protection. Maza doesn’t do that. A $15 Raspberry Pi running Pi-hole protects every device on your home or office network from day one. That’s a different value proposition entirely — broader protection for more hardware spend.

Deployment reality check

Installation is a single command:

curl -o maza https://raw.githubusercontent.com/tanrax/maza-ad-blocking/master/maza && sudo rm -rf /usr/local/bin/maza && chmod +x maza && sudo mv maza /usr/local/bin

Then sudo maza update && sudo maza start. That’s it.

What to know before you run it:

The install command downloads a shell script directly from GitHub and executes it with sudo. This is the standard quick-install pattern, but it’s worth being aware: you’re running arbitrary code from the internet as root. The project is open source and you can read every line before running it [README].

The script modifies /etc/hosts. The README explicitly recommends backing it up first: sudo cp /etc/hosts /etc/hosts.backup. Do this. If something goes wrong, you restore your working hosts file [README].

macOS users: You’ll need gsed via Homebrew. The crontab PATH issue is a real gotcha — if you set up auto-update and your Mac is on Apple Silicon, your Homebrew binaries live at /opt/homebrew/bin, not /usr/local/bin. The README now includes the correct PATH variable for this case, but it’s bitten people who set up cron before reading the macOS notes [README].

The wildcard limitation is real. Without DNSMASQ, ads.example.com is blocked but tracker.ads.example.com might not be (unless it’s explicitly in the block list). For most users with Steven Black’s 135k-domain list, coverage is good enough. For thorough subdomain blocking, the DNSMASQ setup is a separate installation process — not covered by the Maza script itself [README].

No GUI, no status page. sudo maza status tells you if it’s running. That’s your interface. If you want a web dashboard showing blocked queries and graphs, you’re looking for Pi-hole or AdGuard Home, not Maza [1][2].

Last significant update: The awesome-selfhosted listing shows last commit as November 2025 [2]. Maza is relatively mature and relatively simple — there isn’t much to update. The Bash script works, the block list format is stable, and the hosts file approach has been the same for 30 years. This isn’t a project that needs weekly releases to stay useful.

Pros and cons

Pros

  • Zero infrastructure. No server, no container, no daemon, no configuration files beyond a hosts file. Installs in one command [README].
  • System-wide blocking. Works across every browser and every application simultaneously — anything that makes a DNS lookup on the machine gets filtered [README].
  • No browser extensions needed. Privacy-conscious users who don’t want browser plugins phoning home to an extension’s update server will appreciate this [README].
  • Swappable block lists. The default 3.7k-domain list is conservative; Steven Black’s 135k-domain list is one config line away [README].
  • Custom domains. Add your own blocked or ignored domains without forking the project [README].
  • Apache-2.0 license. Permissive — use it, modify it, redistribute it [2].
  • Earned its Hacker News #1 spot. The community verified it works and isn’t doing anything shady [README].

Cons

  • Single-machine only. Your phone, your partner’s laptop, the Chromecast — none of them benefit. Pi-hole protects your whole network; Maza protects one machine [1].
  • No GUI. If you want to see what’s being blocked, you don’t. maza status tells you on/off. That’s the extent of observability [1][2].
  • Requires root to run. sudo maza start, sudo maza update, sudo maza stop. Every operation needs elevated privileges because writing /etc/hosts requires root [README].
  • No subdomain wildcards without DNSMASQ. The hosts file format blocks exact domains. tracker.newads.example.com sneaks through unless it’s explicitly in your list [README].
  • Manual update cadence without cron setup. Out of the box, your block list ages. You have to remember to run sudo maza update or set up the cron job [README].
  • macOS cron is finicky. The PATH issue for cron on macOS is a documented setup pain, especially on Apple Silicon [README].
  • No HTTPS inspection. Maza blocks at DNS resolution — it can’t inspect or filter HTTPS traffic content, only prevent DNS resolution of known ad domains.
  • Relatively small community. 1,864 stars [README] vs Pi-hole’s 56,560 [2] means fewer tutorials, fewer forum answers if you hit an edge case.

Who should use this / who shouldn’t

Use Maza if:

  • You’re a developer or sysadmin comfortable in the terminal and want zero-infrastructure system-wide ad blocking on your own machine.
  • You don’t trust browser extensions and prefer not to have them installed.
  • You want to block tracking and telemetry from desktop applications, not just browsers.
  • You’re on macOS or Linux and want a five-minute setup with no ongoing maintenance beyond a daily cron job.

Skip it (use Pi-hole instead) if:

  • You want every device on your home or office network protected — phones, tablets, smart TVs, everything [1][2].
  • You want a web dashboard to see what’s being blocked and manage block lists through a UI [2].
  • You’re setting this up for a family member who isn’t comfortable in the terminal.

Skip it (use AdGuard Home instead) if:

  • You want network-wide protection with a modern, clean web UI [2].
  • You need DNS-over-HTTPS or DNS-over-TLS out of the box.
  • You want detailed per-device filtering statistics.

Skip it (use uBlock Origin instead) if:

  • You only care about ad blocking in the browser and don’t want to touch system files or run anything as root.
  • You’re on Windows (uBlock runs everywhere; Maza has limited Windows support through WSL only).

Skip it (use blocky instead) if:

  • You want a lightweight network-level DNS blocker that runs in Docker, supports multiple block list formats, and has more active recent development [2].

Alternatives worth considering

From the awesome-selfhosted DNS category and the VentureGaps alternatives list [1][2]:

  • Pi-hole — the benchmark for self-hosted network ad blocking. Protects your entire network, has a full web UI, community blocklists, per-client statistics. 56,560 GitHub stars. More complex to set up (needs a dedicated machine or VM), but the payoff is network-wide coverage [2].
  • AdGuard Home — Pi-hole’s main competitor. Similar network-level approach, arguably cleaner UI, supports DNS-over-HTTPS natively, better-maintained parent company (AdGuard). 33,573 stars [2].
  • blocky — a newer Go-based DNS proxy designed as a Pi-hole alternative. Faster than Pi-hole, configured via YAML, no web UI by default but API-accessible. 6,536 stars [2].
  • Technitium DNS Server — full authoritative/recursive DNS server with ad blocking built in. C#-based, has a web UI, runs on Windows and Linux natively. 8,043 stars [2].
  • uBlock Origin — browser extension, not a self-hosted tool, but the practical comparison for anyone who just wants ads gone in the browser without infrastructure.

For a developer who wants local machine-only protection: Maza is the cleanest option. For anyone who wants more than one machine covered: Pi-hole or AdGuard Home.

Bottom line

Maza is a sharp, narrow tool that does one thing honestly. It writes ad domains to your /etc/hosts file and your machine stops resolving them. No UI, no server, no container, no dependencies beyond Bash and curl. The five-minute setup claim is accurate. The limitation — it only protects the machine it runs on — is equally real.

The comparison to Pi-hole that Maza itself makes is misleading in one direction: Pi-hole protects a network, Maza protects a laptop. They’re not substitutes for most use cases. Where Maza does win cleanly is the developer who wants system-wide blocking (not just browser-level) on their own machine without spinning up additional infrastructure. For that exact use case, nothing else is this simple.

If you want network-wide blocking with a dashboard, install Pi-hole or AdGuard Home on a spare machine and call it done [2]. If you want to block tracking across every app on your MacBook with a single command and zero ongoing maintenance, Maza earns its Hacker News #1.

Sources

  1. VentureGaps“Best Maza ad blocking Alternatives in 2026”. https://www.venturegaps.com/alternatives/maza-ad-blocking
  2. awesome-selfhosted“DNS — awesome-selfhosted”. https://awesome-selfhosted.net/tags/dns.html

Primary sources:

Category

DevOps & Infrastructure (196)

Related DevOps & Infrastructure Tools

View all 196 →

Coolify

52K

Self-hosting platform that deploys apps, databases, and services to your own server with a single click. Open-source alternative to Heroku, Netlify, and Vercel.

devops Apache-2.0

Portainer

37K

Enterprise container management platform for Kubernetes, Docker and Podman environments. Deploy, troubleshoot, and secure across any infrastructure.

devops Zlib

1Panel

34K

Modern, open-source Linux server management panel. Web-based interface for managing servers, websites, databases, and containers.

devops GPL-3.0

CasaOS

33K

A simple, easy-to-use, elegant open-source personal cloud system.

devops Apache-2.0

Dokku

32K

A docker-powered PaaS that helps you build and manage the lifecycle of applications. The smallest PaaS implementation you've ever seen.

devops MIT

Dokploy

32K

The lightest self-hosted PaaS — one command, 3 minutes, and your apps are deploying with automatic SSL on a $4/month VPS.

devops