Blocked that hard-coded google dns garbage.
I have a firewall rule to dst-nat any outgoing DNS requests not coming from piHole back to the piHole server. That way all devices on the LAN are forced to use piHole for DNS and can’t bypass it. I don’t have an OPNSense firewall but I would think it should be able to do that as well.
I configured my Asus router with asuswrt-merlin firmware to route all DNS traffics to my Adguard instance to catch those apps and devices with hard-coded DNS. Those routed DNS queries appear in adguard as originating from my router’s IP address, so I can easily see what apps and devices trying to bypass my dns. Turns out the main offender is Netflix.
That’s interesting. What IP address is netflix hardcoding?
Is this to block ads?
No, you can block ads with a pihole. This is because Roku hard codes its dns server as 8.8.8.8. Pihole doesn’t handle IP addresses, only DNS.
Interesting. I set an adblocking dns via DHCP and, as far as I know, the Roku respects it. Ads are blocked and I can see it failing to delivery telemetry in my dns logs (most persistent thing on the network).
I set a rule to catch outside dns to see if anything, the roku included, has been misbehaving.
Pihole blocks the basics for Roku. Things like logs ads etc. but there’s a lot more telemetry that they’re collecting. Here’s a hackernews thread about the topic and the associated article it references.
