FYI (July 24, 2025): I've been away since July 11, dealing with an emergency move. I'll be back working on all the amazing comments y'all have been putting down, most possibly by the first weekend of August. I appreciate all the contributions everybody has been making and all the time everybody has put to make all of our lives better.
Last Updated On: July 10, 2025
Last Updated Platform: Peacock
Do not block (or whitelist if blocked) for functionality (Only block these if you know what you're doing)
roku.com,rokutime.com, andtherokuchannel.roku.com: for obvious reasons.api.roku.comandapi.rokutime.com: System functionality.retail.rpay.roku.comandapi.rpay.roku.com: Payment api.image.roku.com: Checking internet connectivity by the app.
configsvc.sc.roku.comandkeysvc.sc.roku.com: Channel functionality.content.sr.roku.com,content-detail.sr.roku.com, andplayback-detail.sr.roku.com: Loading Contentimages.sr.roku.com: Loading video imagesapi2.sr.roku.com: Channel api that delivers videos.vod.delivery.roku.com, andvod-playlist.sr.roku.com: Loading the video content.rights-manager.sr.roku.comandwv-license.sr.roku.com: Availability and access to content.static-delivery.sr.roku.com: Subtitles.bookmarks.sr.roku.com: Remembering the last location on a video.navigation.sr.roku.comandimages-svc.sr.roku.com: Unknown, still being tested.
IMPORTANT: If "The Roku Channel" is having issues loading content try whitelisting the following. Still needs testing.
tis.cti.roku.com
ls.cti.roku.com
If you don't use The Roku Channel app you're welcome to block all these with the following regex.
^[^.]+\.(sr|sc)\.roku.com$
The exact presence of logs,ads, web, cti, voice, or prod.mobile.
^(([^.]+\.)*(logs|ads|web|prod\.mobile|cti|voice)(\.[^.]+)*\.)roku\.com$
I found some names (sometimes with characters before or after them).
^(([^.]+\.)*[^.]*(amarillo|amoeba|austin|benjamin|bryan|camden|cooper|copper|digdug|external|giga|gilbert|griffin|hereford|lb|liberty|littlefield|longview|madison|marlin|midland|paolo|richmond|rollingwood|scribe|sugarland|tyler|victoria|windsor)[^.]*(\.[^.]+)*\.))roku\.com$
Next, I found some queries starting with some words and decided that I didn't want them.
^((captive|cloudservices|wwwimg)\.)roku\.com$
Some .sr.roku.com addresses combined together:
^((bif|microsites|traces|track|userdata)\.sr\.)roku\.com$
ravm.tv queries, I captured all with:
^([^.]+\.)*ravm\.tv$
Individual domains that don't fit a pattern, can be added as exact domains:
lat-services.api.data.roku.com
roku.admeasurement.com
Bonus: Overkill for admeasurement:
^([^.]+\.)*roku([^.]+\.)*\.admeasurement([^.]+\.)*\.com$
Around Jan 7, 2025 Peacock started showing ads on Roku devices. The culprit in my server was f701e91aabed43fa8064e91da398bfbc.mediatailor.us-east-1.amazonaws.com . I assume different regions would have different strings, and the first random part can change.
July 4, 2025 Update: The current settings mostly work without ads, except the videos don't start where they're left off, but they start from the beginning of the content.
| Type | Domain | Note |
|---|---|---|
| Exact | mytv.clients.peacocktv.com |
Account access |
| Exact | bff-ext.clients.peacocktv.com |
Account access |
| Exact | imageservice.disco.peacocktv.com |
Content images |
| Exact | play.ovp.peacocktv.com |
Content loading |
| RegEx | g[^.]+-vod-us-cmaf-prd-mc.cdn.peacocktv.com |
Video loading |
| Exact | atom.peacocktv.com |
Under consideration |
| Exact | cybertron.id.peacocktv.com |
Under consideration |
| Exact | meg.disco.peacocktv.com |
Under consideration |
| Exact | ovp.peacocktv.com |
Under consideration |
| Exact | pconfig-prd.cdn.peacocktv.com |
Under consideration |
| Type | Domain | Note |
|---|---|---|
| Exact | mt.ssai.peacocktv.com |
Use this for now |
| RegEx | g[^.]+-vod-us-cmaf-prd-[^.]+.cdn.peacocktv.com |
Ads load through various links |
**Important:** Use this with caution, someone reported it blocked their Amazon Echo devices. Needs confirmation.
Paramount+ settings and how they deliver content and ads change often. This list has been stable in Roku for some time now. Browser hasn't been stable. Under a moderate to aggressive system, Paramount+ (even no ad version) tends to not work. If you're having issues with Paramount+, check your Query Logs and try whitelisting and blacklisting domains appear there.
These domains are needed for functinality of the service.
| Type | Domain | Function |
|---|---|---|
| Exact | saa.paramountplus.com |
Main |
| Exact | saa.cbsi.com |
Main |
| Exact | vod-gcs-cedexis.cbsaavideo.com |
Loads the video |
| Exact | cbsinteractive.hb.omtrdc.net |
Loads the video |
| Exact | cbsi.live.ott.irdeto.com |
Loads the video |
| Exact | tags.tiqcdn.com |
Last location |
| Exact | wwwimage-us.pplusstatic.com |
Image loading |
| Exact | wwwimage-secure.cbsstatic.com |
Image loading |
| Exact | thumbnails.cbsig.net |
Image loading |
| Exact | bakery.pplus.paramount.tech |
Mobile App |
| RegEx | ^[^.]+\.cws\.conviva\.com$ |
Video loading |
Most other domains can be blocked. These might be missed by pihole, or might be whitelisted in the past for one reason or another. There are other domains that can be blocked. Here are some examples. (I'll be working on a combination of exact and regex blocking solution)
| Type | Domain | Notes |
|---|---|---|
| Exact | imasdk.googleapis.com |
Might be needed for loading on PC (needs testing) |
| Exact | enduser.adsrvr.org |
|
| Exact | cdn.privacy.paramount.com |
|
| Exact | www.googletagmanager.com |
|
| Exact | pagead2.googlesyndication.com |
|
| Exact | www.googletagmanager.com |
|
| Exact | availability-fastly.syncbak-mediastore-cedexis.cbsaavideo.com |
|
| Exact | cbsi.demdex.net |
|
| Exact | vod-gcs-qwilt.cbsaavideo.com |
|
| Exact | vod-gcs-google.cbsaavideo.com |
Note: If you use unbound for DNS resolution, enabling DNSSEC will block access to Paramount+ from the browser. Roku still works.
Try adding this to regex list. (Not tested thoroughly, any input is welcome)
^([^.]+\.)*disneyadvertising\.com$
Some more Peacock information:
Functions
sf - don't know what 'sf' means, but it's used for trailers (with fallback) and extra content
vod - video on-demand, main video program (with fallback), and it seems like ads (no fallback) are now being served inline from these servers
sle - unknown, I've not actually seen this one in my usage
CDNs
ak - Akamai
fy - Fastly
cf - CloudFront (Amazon)
mc - Media CDN (Google)
Actual deployment
sf-ak - Trailers (round-robin)
sf-fy - Trailers (round-robin) and Extras
vod-mc - main content (primary) and inline ads (round-robin)
vod-fy - main content (secondary) and inline ads (round-robin)
The above is as best as I can figure. I think this is what happens every time a user starts playback of a video:
You can't block both vod servers because then your main content won't play. But if you block just one vod server (either), then that means your main content will always play (because it has fallback), and ad info loading will be blocked about half the time (because it doesn't fallback).
So, if your video content loads with ad info, then just back out and try playing it again, until you get a load where the ad info is blocked. At least that's the explanation that makes sense to fit the behavior I saw in my extensive testing.
A single Regex Deny entry for one vod server, like the following, should have the effect described above, without the need for any additional or more complex entries:
g\d+-vod-us-cmaf-prd-fy\.cdn\.peacocktv\.comIt doesn't look like the "sf" servers need to be blocked, since they don't appear to be involved in the ad loading. Having them enabled or disabled had no effect on the ad loads.