diff --git a/flake.lock b/flake.lock
index 7e15d35..6b29af2 100644
--- a/flake.lock
+++ b/flake.lock
@@ -16,6 +16,22 @@
         "type": "github"
       }
     },
+    "blocklist": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1772371087,
+        "narHash": "sha256-4exSkO2QcRy+yhQf2tV6jgO3noNNPvSeIad1YLxpazI=",
+        "owner": "StevenBlack",
+        "repo": "hosts",
+        "rev": "484d3c71b9433e08fa887297e25a3b53c0c6fd57",
+        "type": "github"
+      },
+      "original": {
+        "owner": "StevenBlack",
+        "repo": "hosts",
+        "type": "github"
+      }
+    },
     "comin": {
       "inputs": {
         "flake-compat": "flake-compat",
@@ -293,6 +309,7 @@
     "root": {
       "inputs": {
         "betterfox": "betterfox",
+        "blocklist": "blocklist",
         "comin": "comin",
         "disko": "disko",
         "dns": "dns",
diff --git a/flake.nix b/flake.nix
index 83622ed..f251142 100644
--- a/flake.nix
+++ b/flake.nix
@@ -75,6 +75,11 @@
       url = "github:iBigQ/radicale-birthday-calendar";
       flake = false;
     };
+
+    blocklist = {
+      url = "github:StevenBlack/hosts";
+      flake = false;
+    };
   };
 
   outputs =
diff --git a/modules/nixos/services/nameservers/recursive.nix b/modules/nixos/services/nameservers/recursive.nix
index 914e12b..894c2e1 100644
--- a/modules/nixos/services/nameservers/recursive.nix
+++ b/modules/nixos/services/nameservers/recursive.nix
@@ -1,5 +1,7 @@
 {
   config,
+  inputs,
+  pkgs,
   lib,
   allHosts,
   ...
@@ -8,6 +10,16 @@ let
   cfg = config.custom.services.recursive-nameserver;
   netCfg = config.custom.networking;
 
+  blocklist =
+    pkgs.runCommand "blocklist.conf" { } ''
+      echo "server:" > $out
+      cat ${inputs.blocklist}/hosts \
+        | grep '^0.0.0.0 ' \
+        | awk '$2 != "0.0.0.0" {print "  local-zone: \"" $2 "\" refuse"}' \
+        >> $out
+    ''
+    |> toString;
+
   privateNameservers =
     allHosts
     |> lib.attrValues
@@ -20,6 +32,7 @@ in
       type = lib.types.port;
       default = 53;
     };
+    blockAds = lib.mkEnableOption "";
   };
 
   config = lib.mkIf cfg.enable (
@@ -28,10 +41,13 @@ in
         services = {
           unbound = {
             enable = true;
-            settings.server = {
-              interface = [ "${netCfg.overlay.address}@${toString cfg.port}" ];
-              access-control = [ "${toString netCfg.overlay.networkCidr} allow" ];
-              prefetch = true;
+            settings = {
+              server = {
+                interface = [ "${netCfg.overlay.address}@${toString cfg.port}" ];
+                access-control = [ "${toString netCfg.overlay.networkCidr} allow" ];
+                prefetch = true;
+              };
+              include-toplevel = lib.mkIf cfg.blockAds blocklist;
             };
           };