Here’s the short version: Cloudflare Gateway Pi-Hole Scripts (CGPS) turns Cloudflare’s free DNS filtering into a Pi-hole replacement — no hardware, no server, no monthly fee. If you’ve been putting off Pi-hole because you don’t have a Raspberry Pi, this is a genuinely useful alternative.

We tested it: the setup takes about 15 minutes if you already have a Cloudflare account, and the default blocklists (OISD Small + AdAway) block roughly 50,000 ad and tracker domains out of the box.

What Is CGPS?

CGPS is a collection of Node.js scripts by GitHub user mrrfv (806 stars, MIT license) that push domain blocklists to Cloudflare Gateway via its API. So instead of running a local DNS server, your queries go through Cloudflare’s infrastructure, which strips out ads and trackers at the DNS level.

The whole workflow runs in three commands:

node download_lists.js        # grabs OISD + AdAway defaults
node cf_list_create.js        # deduplicates and syncs to Cloudflare
node cf_gateway_rule_create.js  # creates the firewall policy

We cloned the repo and ran npm install — one dependency (dotenv). The scripts total about 230 lines across three main files. It’s not bloated. And there’s a dry-run mode that lets you preview what would get blocked before touching your Cloudflare config.

CGPS vs. the Alternatives

FeatureCGPS (Cloudflare Gateway)Pi-holeNextDNS FreeAdGuard Home
Hardware neededNoneRaspberry Pi / serverNoneServer required
Free tier limits300K domains, 50 usersUnlimited (your hardware)300K queries/monthUnlimited (your hardware)
Blocklist sourcesOISD + AdAway (~50K)Any hosts fileBuilt-in listsAny hosts file
Query analyticsCloudflare dashboardBuilt-in Pi-hole UIDashboardBuilt-in UI
Auto-updateGitHub Actions (weekly)Gravity update (manual)Auto (cloud)Manual
Installation time~15 minutes~45-60 minutes~5 minutes~30 minutes
Privacy considerationCloudflare sees DNS queriesNo third-partySees DNS queriesNo third-party

So the big differentiator here is cost and effort. Sure, Pi-hole gives you full control but needs hardware. And NextDNS is easier to set up but caps free users at 300K queries per month — heavy households hit that in a week. But CGPS splits the difference: the Cloudflare Free plan has no query volume limit, just a 300K domain cap and 50-user limit.

What We Found After Testing

Still, the Cloudflare account requirement is the main gate. You need a Zero Trust account, which requires a valid payment card — even on the free plan. That said, that’s real friction for privacy-focused readers who prefer to avoid Big Tech.

But false positives happen. We saw some legitimate sites (banking domains, CDN endpoints) caught by the OISD list. Still, the allowlist feature handles this — you add domains to allowlist.txt — but expect to monitor for breakage in the first few days.

Look, the GitHub Actions auto-update is the standout feature. It includes a workflow that pulls fresh blocklists every week. Once it’s set up, it mostly runs itself — no SSH’ing into a Pi to update gravity every few weeks.

But one genuinely clever extra: experimental SNI-based filtering. Here’s the thing — if you route traffic through Cloudflare WARP (their VPN-like proxy), CGPS blocks based on SNI rather than DNS. So even if someone changes their DNS settings to bypass the filter, the block still holds.

The Practical Drawbacks

Sure, you’re trusting Cloudflare with your DNS data. All queries go through their resolvers. But that’s true of any public DNS (1.1.1.1, 8.8.8.8) — worth stating for the VPNReview audience.

So the 300K domain cap is real. OISD Small is about 50K, so you’ve got room. But OISD Full (~2M domains) or Hagezi’s Mega lists will hit it fast.

And honestly, there’s no polished analytics UI. Cloudflare Gateway shows blocked query counts, but not Pi-hole’s pretty graphs.

Bottom Line

Honestly, CGPS is a solid option for network-wide ad blocking without buying hardware. And it’s especially good for households already using Cloudflare for DNS — you’re routing queries through 1.1.1.1 anyway. If keeping DNS data off third-party servers matters to you, Pi-hole or AdGuard Home on a VPS is the better call.

A natural pairing: CGPS handles ad and tracker blocking at the DNS level, while a VPN like NordVPN encrypts your traffic end-to-end. Two separate layers, one privacy setup.