What blocklists are
A blocklist is a registry of domains, paths, or scripts that a privacy tool considers undesirable. The two largest ecosystems:
- EasyList family, the lists ad blockers like uBlock Origin and AdBlock Plus subscribe to by default. EasyList itself targets ads. EasyPrivacy targets trackers. Multiple regional and topical variants exist.
- Disconnect.me, the list Firefox’s Enhanced Tracking Protection uses. Smaller and more curated than EasyList.
Both are maintained by volunteers, both update multiple times per week, and both are the de-facto authority on “what counts as a tracker.”
How a domain ends up on a blocklist
Two paths:
- Community submission. A user notices a tracking-like behavior and submits the domain to a list maintainer. Approved entries appear in the next list release.
- Heuristic analysis. Some list maintainers run automated scanners that flag domains exhibiting common tracker patterns (third-party-script behavior, fingerprinting, etc.).
There’s no formal application or appeal process. A domain can be added, removed, or moved between categories at the maintainer’s discretion.
What “being on a blocklist” means for tracking
If your tracking endpoint is on a major blocklist:
- Every uBlock Origin / AdBlock Plus user blocks it (15-25% of consumer traffic, higher in tech audiences)
- Every Firefox user with ETP in standard mode blocks it (~10% of total traffic)
- Brave Browser users block it (small share but technical-audience-heavy)
- Apple’s content blocker API exposes the same lists to Safari extensions
A domain on EasyPrivacy or Disconnect.me is reaching maybe 50-70% of your potential audience. The other 30-50% is invisible to it.
The CNAME-cloaking trap
A historical workaround: set up a CNAMEd subdomain of your own site (analytics.yourdomain.com) that resolves to a tracker. Looks like a first-party request, defeats simple domain blocking.
Lists caught up. Disconnect.me, uBlock, and others now detect CNAME cloaking and block it. Safari’s ITP specifically targets it. The workaround has a half-life of months, not years.
How to stay off blocklists
Don’t behave like a tracker. Specifically:
- Use real first-party infrastructure, endpoints actually owned and operated by your business, not CNAMEd from a vendor
- Don’t fingerprint, passive identification via canvas/WebGL/font enumeration is what most lists target
- Honour user consent, blocklists prioritise domains that ignore consent signals
- Be auditable, the smaller and clearer your tracking script, the less likely it gets flagged
A clean first-party server-side architecture is the durable defence: the blocklist can’t block what doesn’t load in the browser.
Common mistakes
- Treating blocklist coverage as something to negotiate. It isn’t.
- Believing your domain “isn’t on the list.” Check, list maintainers add aggressively, and tracker domains often appear within days of launch.
- Counting on subdomain tricks. Modern lists detect these. Subdomain cloaking is a short-term fix, not a strategy.
FAQ about Blocklist
What is a tracker blocklist?
A blocklist is a curated registry of domains, paths, or scripts that privacy tools refuse to load. Major lists include EasyList (ads), EasyPrivacy (trackers), and Disconnect.me (used by Firefox ETP).
How do I check if my tracking domain is on a blocklist?
Search the public list repositories on GitHub (EasyList, Disconnect.me). Tools like uBlock Origin’s “Logger” tab also show what domains are getting blocked on any given page.
Can I get my domain removed from a blocklist?
Not easily, and not durably. The real fix is architectural: serve tracking from real first-party infrastructure (your own servers and your own domain) instead of trying to evade detection.