FYI (July 24, 2025): I've been away since July 11, dealing with an emergency move. I'll be back working on all the amazing comments y'all have been putting down, most possibly by the first weekend of August. I appreciate all the contributions everybody has been making and all the time everybody has put to make all of our lives better.

Streaming Whitelists and Blacklists for PiHole

Last Updated On:           July 10, 2025
Last Updated Platform:     Peacock

Table of Contents

• Roku
• Peacock
• Paramount+
• Disney+

Roku

Do not block (or whitelist if blocked) for functionality (Only block these if you know what you're doing)

• roku.com, rokutime.com, and therokuchannel.roku.com : for obvious reasons.
• api.roku.com and api.rokutime.com : System functionality.
• retail.rpay.roku.com and api.rpay.roku.com : Payment api.
• image.roku.com : Checking internet connectivity by the app.

"The Roku Channel" related domains. (Block these only if you don't use "The Roku Channel")

• configsvc.sc.roku.com and keysvc.sc.roku.com : Channel functionality.
• content.sr.roku.com, content-detail.sr.roku.com, and playback-detail.sr.roku.com : Loading Content
• images.sr.roku.com : Loading video images
• api2.sr.roku.com : Channel api that delivers videos.
• vod.delivery.roku.com, and vod-playlist.sr.roku.com : Loading the video content.
• rights-manager.sr.roku.com and wv-license.sr.roku.com : Availability and access to content.
• static-delivery.sr.roku.com : Subtitles.
• bookmarks.sr.roku.com : Remembering the last location on a video.
• navigation.sr.roku.com and images-svc.sr.roku.com : Unknown, still being tested.

IMPORTANT: If "The Roku Channel" is having issues loading content try whitelisting the following. Still needs testing.

tis.cti.roku.com
ls.cti.roku.com

If you don't use The Roku Channel app you're welcome to block all these with the following regex.

^[^.]+\.(sr|sc)\.roku.com$

Block list RegEx

The exact presence of logs,ads, web, cti, voice, or prod.mobile.

^(([^.]+\.)*(logs|ads|web|prod\.mobile|cti|voice)(\.[^.]+)*\.)roku\.com$

I found some names (sometimes with characters before or after them).

^(([^.]+\.)*[^.]*(amarillo|amoeba|austin|benjamin|bryan|camden|cooper|copper|digdug|external|giga|gilbert|griffin|hereford|lb|liberty|littlefield|longview|madison|marlin|midland|paolo|richmond|rollingwood|scribe|sugarland|tyler|victoria|windsor)[^.]*(\.[^.]+)*\.))roku\.com$

Next, I found some queries starting with some words and decided that I didn't want them.

^((captive|cloudservices|wwwimg)\.)roku\.com$

Some .sr.roku.com addresses combined together:

^((bif|microsites|traces|track|userdata)\.sr\.)roku\.com$

ravm.tv queries, I captured all with:

^([^.]+\.)*ravm\.tv$

Individual domains that don't fit a pattern, can be added as exact domains:

lat-services.api.data.roku.com
roku.admeasurement.com

Bonus: Overkill for admeasurement:

^([^.]+\.)*roku([^.]+\.)*\.admeasurement([^.]+\.)*\.com$

Peacock

Around Jan 7, 2025 Peacock started showing ads on Roku devices. The culprit in my server was f701e91aabed43fa8064e91da398bfbc.mediatailor.us-east-1.amazonaws.com . I assume different regions would have different strings, and the first random part can change.

July 4, 2025 Update: The current settings mostly work without ads, except the videos don't start where they're left off, but they start from the beginning of the content.

Whitelist

Type	Domain	Note
Exact	mytv.clients.peacocktv.com	Account access
Exact	bff-ext.clients.peacocktv.com	Account access
Exact	imageservice.disco.peacocktv.com	Content images
Exact	play.ovp.peacocktv.com	Content loading
RegEx	g[^.]+-vod-us-cmaf-prd-mc.cdn.peacocktv.com	Video loading
Exact	atom.peacocktv.com	Under consideration
Exact	cybertron.id.peacocktv.com	Under consideration
Exact	meg.disco.peacocktv.com	Under consideration
Exact	ovp.peacocktv.com	Under consideration
Exact	pconfig-prd.cdn.peacocktv.com	Under consideration

Blacklist

Type	Domain	Note
Exact	mt.ssai.peacocktv.com	Use this for now
RegEx	g[^.]+-vod-us-cmaf-prd-[^.]+.cdn.peacocktv.com	Ads load through various links

**Important:** Use this with caution, someone reported it blocked their Amazon Echo devices. Needs confirmation.

Paramount+

Paramount+ settings and how they deliver content and ads change often. This list has been stable in Roku for some time now. Browser hasn't been stable. Under a moderate to aggressive system, Paramount+ (even no ad version) tends to not work. If you're having issues with Paramount+, check your Query Logs and try whitelisting and blacklisting domains appear there.

Whitelist

These domains are needed for functinality of the service.

Type	Domain	Function
Exact	saa.paramountplus.com	Main
Exact	saa.cbsi.com	Main
Exact	vod-gcs-cedexis.cbsaavideo.com	Loads the video
Exact	cbsinteractive.hb.omtrdc.net	Loads the video
Exact	cbsi.live.ott.irdeto.com	Loads the video
Exact	tags.tiqcdn.com	Last location
Exact	wwwimage-us.pplusstatic.com	Image loading
Exact	wwwimage-secure.cbsstatic.com	Image loading
Exact	thumbnails.cbsig.net	Image loading
Exact	bakery.pplus.paramount.tech	Mobile App
RegEx	^[^.]+\.cws\.conviva\.com$	Video loading

Blacklist

Most other domains can be blocked. These might be missed by pihole, or might be whitelisted in the past for one reason or another. There are other domains that can be blocked. Here are some examples. (I'll be working on a combination of exact and regex blocking solution)

Type	Domain	Notes
Exact	imasdk.googleapis.com	Might be needed for loading on PC (needs testing)
Exact	enduser.adsrvr.org
Exact	cdn.privacy.paramount.com
Exact	www.googletagmanager.com
Exact	pagead2.googlesyndication.com
Exact	www.googletagmanager.com
Exact	availability-fastly.syncbak-mediastore-cedexis.cbsaavideo.com
Exact	cbsi.demdex.net
Exact	vod-gcs-qwilt.cbsaavideo.com
Exact	vod-gcs-google.cbsaavideo.com

Note: If you use unbound for DNS resolution, enabling DNSSEC will block access to Paramount+ from the browser. Roku still works.

Disney+

Try adding this to regex list. (Not tested thoroughly, any input is welcome)

^([^.]+\.)*disneyadvertising\.com$