Last Updated On: May 12, 2025
Last Updated Platform: Peacock
Do not block (or whitelist if blocked) for functionality (Only block these if you know what you're doing)
roku.com,rokutime.com, andtherokuchannel.roku.com: for obvious reasons.api.roku.comandapi.rokutime.com: System functionality.retail.rpay.roku.comandapi.rpay.roku.com: Payment api.image.roku.com: Checking internet connectivity by the app.
configsvc.sc.roku.comandkeysvc.sc.roku.com: Channel functionality.content.sr.roku.com,content-detail.sr.roku.com, andplayback-detail.sr.roku.com: Loading Contentimages.sr.roku.com: Loading video imagesapi2.sr.roku.com: Channel api that delivers videos.vod.delivery.roku.com, andvod-playlist.sr.roku.com: Loading the video content.rights-manager.sr.roku.comandwv-license.sr.roku.com: Availability and access to content.static-delivery.sr.roku.com: Subtitles.bookmarks.sr.roku.com: Remembering the last location on a video.navigation.sr.roku.comandimages-svc.sr.roku.com: Unknown, still being tested.
IMPORTANT: If "The Roku Channel" is having issues loading content try whitelisting the following. Still needs testing.
tis.cti.roku.com
ls.cti.roku.com
If you don't use The Roku Channel app you're welcome to block all these with the following regex.
^[^.]+\.(sr|sc)\.roku.com$
The exact presence of logs,ads, web, cti, voice, or prod.mobile.
^(([^.]+\.)*(logs|ads|web|prod\.mobile|cti|voice)(\.[^.]+)*\.)roku\.com$
I found some names (sometimes with characters before or after them).
^(([^.]+\.)*[^.]*(amarillo|amoeba|austin|benjamin|bryan|camden|cooper|copper|digdug|external|giga|gilbert|griffin|hereford|lb|liberty|littlefield|longview|madison|marlin|midland|paolo|richmond|rollingwood|scribe|sugarland|tyler|victoria|windsor)[^.]*(\.[^.]+)*\.))roku\.com$
Next, I found some queries starting with some words and decided that I didn't want them.
^((captive|cloudservices|wwwimg)\.)roku\.com$
Some .sr.roku.com addresses combined together:
^((bif|microsites|traces|track|userdata)\.sr\.)roku\.com$
ravm.tv queries, I captured all with:
^([^.]+\.)*ravm\.tv$
Individual domains that don't fit a pattern, can be added as exact domains:
lat-services.api.data.roku.com
roku.admeasurement.com
Bonus: Overkill for admeasurement:
^([^.]+\.)*roku([^.]+\.)*\.admeasurement([^.]+\.)*\.com$
Around Jan 7, 2025 Peacock started showing ads on Roku devices. The culprit in my server was f701e91aabed43fa8064e91da398bfbc.mediatailor.us-east-1.amazonaws.com . I assume different regions would have different strings, and the first random part can change.
| Type | Domain | Note |
|---|---|---|
| RegEx | [^.]+\.mediatailor\.[^.]+\.amazonaws\.com |
Removed for testing temporarily |
| Exact | mt.ssai.peacocktv.com |
Use this for now |
**Important:** Use this with caution, someone reported it blocked their Amazon Echo devices. Needs confirmation.
Paramount+ settings and how they deliver content and ads change often. This list has been stable in Roku for some time now. Browser hasn't been stable. Under a moderate to aggressive system, Paramount+ (even no ad version) tends to not work. If you're having issues with Paramount+, check your Query Logs and try whitelisting and blacklisting domains appear there.
These domains are needed for functinality of the service.
| Type | Domain | Function |
|---|---|---|
| Exact | saa.paramountplus.com |
Main |
| Exact | saa.cbsi.com |
Main |
| Exact | vod-gcs-cedexis.cbsaavideo.com |
Loads the video |
| Exact | cbsinteractive.hb.omtrdc.net |
Loads the video |
| Exact | cbsi.live.ott.irdeto.com |
Loads the video |
| Exact | tags.tiqcdn.com |
Last location |
| Exact | wwwimage-us.pplusstatic.com |
Image loading |
| Exact | wwwimage-secure.cbsstatic.com |
Image loading |
| Exact | thumbnails.cbsig.net |
Image loading |
| Exact | bakery.pplus.paramount.tech |
Mobile App |
| RegEx | ^[^.]+\.cws\.conviva\.com$ |
Video loading |
Most other domains can be blocked. These might be missed by pihole, or might be whitelisted in the past for one reason or another. There are other domains that can be blocked. Here are some examples. (I'll be working on a combination of exact and regex blocking solution)
| Type | Domain | Notes |
|---|---|---|
| Exact | imasdk.googleapis.com |
Might be needed for loading on PC (needs testing) |
| Exact | enduser.adsrvr.org |
|
| Exact | cdn.privacy.paramount.com |
|
| Exact | www.googletagmanager.com |
|
| Exact | pagead2.googlesyndication.com |
|
| Exact | www.googletagmanager.com |
|
| Exact | availability-fastly.syncbak-mediastore-cedexis.cbsaavideo.com |
|
| Exact | cbsi.demdex.net |
|
| Exact | vod-gcs-qwilt.cbsaavideo.com |
|
| Exact | vod-gcs-google.cbsaavideo.com |
Note: If you use unbound for DNS resolution, enabling DNSSEC will block access to Paramount+ from the browser. Roku still works.
Try adding this to regex list. (Not tested thoroughly, any input is welcome)
^([^.]+\.)*disneyadvertising\.com$
Encountered error message : "Regex validation failed
Missing ')'" " when applying
^(([^.]+.)*disneyadvertising.com$
Adjusted to ^(([^.]+.))*disneyadvertising.com$
Thanks for all of the work.