Pop-Under Ads: Why Pi-Hole Struggles and How to Actually Block Them
Your Pi-Hole catches the 847 tracker domains in its blocklist but a torrent site still manages to spawn four ad windows when you close the tab. This is not a failure of your blocklist. It is a structural limit of DNS-level blocking. Here is the technical explanation and the layered defense that actually closes the gap.
What a pop-under actually is
A pop-under is a browser window opened by script, then immediately sent behind the active window so the user does not notice it. The user interacts normally with the original page. When they finally close the tab or window, the ad window becomes visible — an impression that was successfully registered and "viewed" by the user, at least by the ad network's billing definition.
The implementation is three lines of JavaScript:
document.addEventListener('click', () => {
const w = window.open('about:blank', '_blank');
w.location.href = 'https://trafficjunky.example/landing?aff=...';
window.focus();
});The actual scripts deployed by PropellerAds, AdMaven, and PopAds are obfuscated and packed, but the underlying behavior is identical: attach a handler to any user gesture, open a new window, navigate it to the ad URL, then focus the opener. Modern browsers have hardened popup blocking against most of this — the window.open must be inside a user gesture handler, cross-origin focus stealing is restricted, and rapid opener cycling triggers the browser's heuristic blocker. Pop-under networks evolve their scripts weekly to stay ahead of those heuristics.
Why DNS-level blocking misses them
Pi-Hole intercepts DNS queries and returns NXDOMAIN for blocked names. That mechanism has one prerequisite: the browser must actually perform a DNS lookup the Pi-Hole can see. Pop-unders fail that prerequisite in three specific ways.
First-party injection. The window.open script is served from the first-party domain you are visiting — the site you intentionally loaded. Pi-Hole will not block that domain because blocking it would break the entire site. The ad code ships inside the first-party bundle.
Multi-hop redirects. The URL passed to window.open is typically a short redirector — trafficjunky.example/go, propads.example/r — that 302s through three to five intermediate hops before landing on the final creative. Pi-Hole would need every hop in your blocklist to stop the chain. Pop-under networks rotate redirector hostnames daily specifically to exhaust blocklist updates.
Direct-IP fallback. When a primary redirector is blocked, some pop-under scripts fall back to hard-coded IP addresses for the final landing. DNS-level blocking has nothing to act on because no DNS lookup occurs.
The 2026 pop-under network landscape
Four networks dominate pop-under ad delivery in 2026. All four serve primarily to sites that mainstream ad exchanges (Google, Microsoft, Amazon) refuse to monetize.
| Network | Primary traffic source | CPM range | Blocklist visibility |
|---|---|---|---|
| PropellerAds | General + adult | $0.50–$4.00 | High (well-covered) |
| AdMaven | Piracy, streaming, adult | $0.80–$3.50 | Medium |
| PopAds | Gambling affiliate, crypto | $1.00–$5.00 | High |
| Zeropark | Affiliate + lead gen | $0.30–$2.00 | Low (rotates fast) |
The blocklist visibility column is the one that matters for Pi-Hole effectiveness. High-visibility networks have dozens to hundreds of known domains in curated blocklists like Hagezi Pro and OISD Big. Low-visibility networks like Zeropark rotate hostnames daily and blocklists trail the rotation by 24 to 72 hours.
The layered defense that actually works
No single tool blocks pop-unders reliably. The combination that catches 95+ percent of them in the Piholekiller test suite looks like this:
- DNS blocking (Pi-Hole, NextDNS, AdGuard Home) with Hagezi Pro + OISD Big. Catches the eventual landing page for well-known networks. Handles the "background" of pop-under traffic but not the aggressive rotators.
- Browser extension: uBlock Origin. Runs inside the page context and intercepts the window.open call itself. Default filter lists explicitly target the PropellerAds, AdMaven, and PopAds injection scripts. This is the single highest-impact defense against pop-unders specifically.
- Browser popup-blocker strict mode. Chrome's "Blocked pop-ups" site setting and Firefox's "Block pop-up windows" default both catch the heuristic signatures. Keep them on.
- Avoid running Chrome-in-incognito without extensions. Incognito mode disables extensions by default on Chrome. Any pop-under defense you configured at the extension layer disappears in a private window. Enable the extension in incognito explicitly or switch to a browser that enables extensions there by default (Firefox, Brave, Vivaldi).
What will not work
- Hosts-file blocking alone. Same structural problem as Pi-Hole — it only catches known domains, not script-injected windows.
- "Pop-under blocker" extensions that are not uBlock Origin. Most single-purpose pop-under blockers in the Chrome Web Store are shells that ship minimal logic and often contain their own trackers. uBlock Origin's filter lists are maintained by the community and cover pop-unders as a core use case.
- Disabling JavaScript. Works, breaks 90 percent of the modern web, not a serious option.
- "Skip pop-ups on this domain" site-specific rules. These exist for display pop-ups, not the heuristic pop-under triggers.
How to test your defense stack
The Piholekiller test page fires a controlled set of pop-under triggers representative of the major networks' real-world behaviors. A fully-blocked result means no new windows opened during the test run. A partial block typically means Pi-Hole caught the redirect chain but a first-party injection still opened a blank window — this is progress, not a failure, because an empty window is not a billable ad impression.
Run the test twice: once with just Pi-Hole, once with Pi-Hole plus uBlock Origin enabled. The delta between the two is the exact amount of pop-under protection your DNS layer is not providing.
Frequently asked questions
- Why doesn't Pi-Hole block pop-unders?
- Pi-Hole blocks DNS lookups. Pop-unders are triggered by JavaScript running inside the first-party page, using window.open with a URL that often redirects several times. The initial call does not require a DNS query Pi-Hole can block.
- What is a pop-under, technically?
- A pop-under is a new browser window opened by script on a user gesture and immediately sent to the background. The user keeps interacting with the original page. When they close it, the ad window becomes visible.
- Does uBlock Origin block pop-unders?
- Yes, significantly better than Pi-Hole. uBlock Origin's default filter lists include window.open neutralization for known pop-under scripts, and the extension runs inside the page context where it can intercept script behavior before the new window opens.
- Which ad networks run pop-unders?
- PropellerAds, AdMaven, PopAds, and Zeropark account for the majority of pop-under traffic in 2026. These networks serve primarily to sites that cannot sell display inventory on the mainstream exchanges.
- Can Pi-Hole block pop-unders at all?
- Partially. Pi-Hole can block the eventual destination if the landing page resolves to a known ad-network domain in your blocklist. Layering a browser extension with uBlock Origin closes the gap completely.