Improvement Idea?

Have you considered querying your filter list against multiple public free DNS providers to both categorize and provide additional validation? One benefit of this approach is the ability to alert on malware-related DNS requests while minimizing alerts for non-malicious traffic, such as ads. For instance, you might first evaluate the list using security-focused DNS servers that specialize in threat detection. Next, you could apply DNS providers known for ad-blocking capabilities. Any remaining entries that do not match these categories can then be compiled into a separate “other” filter list.