Block, Bypass, Filter Fox One Ads using AdGuard - Works Only for PC as of 3/28/26

These rulesets use a two-layer approach combining AdGuard Home (AGH) at the DNS level and AdGuard Premium (AGP) at the HTTPS filtering level to suppress ads across streaming platforms without breaking playback.

Layer 1 — AGH (DNS): Wildcard and pattern-based domain rules intercept ad infrastructure at the network level. Rather than returning NXDOMAIN — which causes SDKs to treat the failure as a transient network error and retry aggressively — targeted domains are sinkholed using dnsrewrite=NOERROR;A;0.0.0.0. This returns a valid DNS response pointing to a null address, causing the TCP connection to fail silently. The ad SDK registers the request as resolved rather than failed, eliminating retry loops while keeping the player stable. Core playback domains are explicitly allowlisted so stream delivery, authentication, and manifest requests are never interrupted.

For Fox One specifically, three sinkholes proved sufficient to eliminate ads entirely on PC and significantly reduce them on other devices:

||yospace.com^ — collapses the entire SSAI ad session before it initializes

||fwmrm.net^ — kills FreeWheel measurement and beacon reporting

||ads.production-public.tubi.io^ — kills the Tubi/AdRise CSAI decision layer

These rules apply network-wide to every device pointed at your AGH router — PC, mobile, smart TV, and streaming sticks all benefit without any per-device configuration.

Layer 2 — AGP (HTTPS): Where DNS interception alone can't reach pre-stitched SSAI ad segments — because they're delivered from the same CDN host as content — AGP's HTTPS filtering intercepts requests at the path level. Ad creative segments matching known delivery paths are redirected to a nooptext response, returning HTTP 200 with an empty body. The player receives a valid response, advances through the empty frames, and resumes content cleanly without throwing a network error.

Device compatibility: The full two-layer stack works on PC (Chrome/Edge) and Android TV devices where AGP can install its CA certificate. Android phones and iOS devices are DNS-only due to OS-level certificate store restrictions that prevent app-level HTTPS interception without root access. On these devices the AGH DNS layer still eliminates CSAI-delivered ads and kills all ad measurement and attribution infrastructure.

The combination means ad decision servers, impression trackers, viewability platforms, and programmatic bidding infrastructure are all dark at the DNS layer, while SSAI-stitched creatives that survive DNS filtering are caught and neutralized at the HTTPS layer.

This repo is updated as often as I can get to it. Streaming platforms regularly rotate CDN subdomains, ad server endpoints, and manifest parameters, so it's an ongoing game of cat and mouse. I'm doing my best to keep up — all testing and feedback is genuinely appreciated.