destroylist
Destroylist is a real-time, crowd-sourced blocklist of 170k+ phishing and scam domains, available in multiple DNS-compatible formats (hosts, dnsmasq, RPZ, etc.) and via free API. It combines curated primary threats with community submissions, updated hourly to daily, and integrates directly into Pi-hole, AdGuard Home, and other DNS filtering systems.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | phishdestroy/destroylist |
| Owner | phishdestroy |
| Primary language | HTML |
| License | MIT — OSI-approved |
| Stars | 1.1k |
| Forks | 215 |
| Open issues | 6 |
| Latest release | v1.0.0 (2025-11-08) |
| Last updated | 2026-07-08 |
| Source | https://github.com/phishdestroy/destroylist |
What destroylist is
A GitHub-hosted threat intelligence feed that publishes domain blocklists in JSON, TXT, and DNS-format variants (hosts, dnsmasq, unbound, RPZ), with active DNS verification (24h cadence) and optional HTTP content validation. CI/CD workflows automate list updates, DNS resolution checks, and format generation; served raw via GitHub Pages.
Get the destroylist source
Clone the repository and explore it locally.
git clone https://github.com/phishdestroy/destroylist.gitcd destroylist# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Choose feed variant (primary vs. community, live DNS-verified vs. full list, content-verified vs. DNS-only) based on false-positive tolerance and update latency needs.
- Monitor update frequency (real-time, 2h, 12h, 24h depending on variant) and rate-limit requests if polling feed directly; consider GitHub raw CDN caching behavior.
- Plan appeals/remediation workflow for false positives; README references appeals process but implementation details are not fully documented.
- Validate JSON schema and domain format (FQDN, wildcard handling) before parsing into downstream DNS or security tools.
- Test allowlist integration (allowlist.json) to suppress known false positives; no API endpoint mentioned for dynamic allowlist queries.
When to avoid it — and what to weigh
- Require guaranteed SLA or uptime commitment — This is a free, volunteer-maintained GitHub project with no formal availability guarantees or commercial support.
- Need proprietary whitelisting/tuning for your domain — While an allowlist exists, direct support for custom false-positive handling is not clearly documented; appeals process is basic.
- Expect localized or industry-specific threat curation — List focuses on global phishing/scam domains; no region, vertical, or sector-specific variants are apparent from data.
- Require audited data provenance or legal indemnification — Community entries come from 13+ aggregated sources with no formal chain-of-custody, vetting process, or liability structure disclosed.
License & commercial use
MIT License: permits commercial use, modification, and distribution with attribution and no liability. No restrictions on use for paid products or services.
MIT explicitly allows commercial use. However, list data is aggregated from community and third-party sources (13+ providers); verify that you hold rights to redistribute or are compliant with those sources' licenses. No commercial support, warranty, or indemnification provided.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
List curates phishing/scam domains but does not guarantee zero false positives or false negatives. Community aggregation introduces supply-chain risk: verify upstream sources comply with your threat model. No cryptographic signing or integrity verification (DNSSEC-style) of feed data is documented. Consider layering with other threat feeds. Allowlist mechanism exists for remediation but process lacks formality.
Alternatives to consider
Spamhaus DROP / EDROP
Industry-standard botnet/spam blocklists with formal processes, SLA, and commercial support; narrower scope than Destroylist but higher trust.
PhishTank + OpenPhish
Specialized phishing feeds with structured submissions, higher validation bar, and community vetting; larger operator bases but smaller domain counts.
URLhaus / Abuse.ch threat feeds
Malware distribution and phishing URLs with forensic metadata; broader threat coverage but requires parsing/integration effort.
Build on destroylist with DEV.co software developers
Evaluate Destroylist for DNS filtering or SIEM integration. Verify community sources align with your compliance requirements and test false-positive rates in staging before production rollout.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
destroylist FAQ
How often is the list updated?
Can I use this for commercial products?
What if a domain is incorrectly blocked?
Is there an API with authentication?
Software development & web development with DEV.co
From first prototype to production, DEV.co delivers software development services around tools like destroylist. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source security and beyond.
Need a production-grade threat blocklist?
Evaluate Destroylist for DNS filtering or SIEM integration. Verify community sources align with your compliance requirements and test false-positive rates in staging before production rollout.