Main data comes from unbound[1], I use vector[2] to ship and transform logs. Dnstap[3] log format IME works better than the standard logs, especially when it comes to more complex queries and replies. Undesired queries get 0.0.0.0 as a response which I track.
Besides what others have said, another dead simple option is to use Nextdns: https://nextdns.io
Doesn't require running anything locally and supports various block rules and lists and allows you to enable full log retention if you want. I recommend it to non-techies as the easiest way to get something like pi-hole/dnscrypt-proxy. (but of course not being self-hosted has downsides)
edit: For Roku, DNS blocking like this only works if Roku doesn't use its own resolver. If it's like some Google devices it'll use 8.8.8.8 for DNS resolution ignoring your gateway/DHCP provided DNS server.
My router owns the IP 8.8.8.8 when seen from inside my network; the Roku literally can't ask Google for DNS via DNS, HTTP, or DNS-over-TLS.. It also answers DNS requests on port 53, and believes that there is no scribe.logs.roku.com, along with many other domains.
The downside is that Google seems to think I'm in a botnet, and wants us to login to see anything on YouTube.
I've explored that! Couldn't figure it out but it certainly sounds possible. And even easier solution is just to block all DNS resolvers except your chosen one. When 8.8.8.8 doesn't work GDevices will fallback to the DHCP assigned resolver (usually your gateway)
I'm a noob at this, but can you do that when it is DoT or DoH? Like I thought the point of them is that you can't forget the DNS request. Even harder with oDoH, right? So does that really get around them?
Replace your router's DNS with something like pi-hole or a bog standard dnsmasq, turn up the logging, that's it. Ubiquiti devices I think also offer detailed DNS logging but not sure.
My suggestion would be to configure your own router using a Linux distro. It's not as difficult as it sounds, the kernel already does most of the heavy lifting. All you need to really do is enable packet forwarding and configure the firewall using iptables rules (block all in, allow all out is a reasonable default). I use Unbound as my recursive DNS resolver, together with Hagezi's blacklists to provide DNS filtering. I filter ports 53 and 853, and filter by IP known public DNS servers (Hagezi maintains a list). DHCP is provided by the isc-dhcp-server package on Debian.
That's a more or less complete home router, with plenty on spare resources to run internal or external services like a Wireguard tunnel, file server, or the Docker/Podman runtime.
That being said, I still wouldn't connect a "smart" TV to the Internet. There are better options like a Linux HTPC.
Main data comes from unbound[1], I use vector[2] to ship and transform logs. Dnstap[3] log format IME works better than the standard logs, especially when it comes to more complex queries and replies. Undesired queries get 0.0.0.0 as a response which I track.
Firewall is based on hand-rolled nftables rules.
[1]: https://www.nlnetlabs.nl/projects/unbound/about/ [2]: https://vector.dev [3]: https://dnstap.info/Examples/
Besides what others have said, another dead simple option is to use Nextdns: https://nextdns.io
Doesn't require running anything locally and supports various block rules and lists and allows you to enable full log retention if you want. I recommend it to non-techies as the easiest way to get something like pi-hole/dnscrypt-proxy. (but of course not being self-hosted has downsides)
edit: For Roku, DNS blocking like this only works if Roku doesn't use its own resolver. If it's like some Google devices it'll use 8.8.8.8 for DNS resolution ignoring your gateway/DHCP provided DNS server.
Seems like you could have a router or firewall mitm queries to e.g. 8.8.8.8 and potentially redirect/rewrite/respond
I would not be surprised if Google TV devices will sooner than later start using DoH to 8.8.8.8
My router owns the IP 8.8.8.8 when seen from inside my network; the Roku literally can't ask Google for DNS via DNS, HTTP, or DNS-over-TLS.. It also answers DNS requests on port 53, and believes that there is no scribe.logs.roku.com, along with many other domains.
The downside is that Google seems to think I'm in a botnet, and wants us to login to see anything on YouTube.
I've explored that! Couldn't figure it out but it certainly sounds possible. And even easier solution is just to block all DNS resolvers except your chosen one. When 8.8.8.8 doesn't work GDevices will fallback to the DHCP assigned resolver (usually your gateway)
I'm a noob at this, but can you do that when it is DoT or DoH? Like I thought the point of them is that you can't forget the DNS request. Even harder with oDoH, right? So does that really get around them?
1 reply →
Replace your router's DNS with something like pi-hole or a bog standard dnsmasq, turn up the logging, that's it. Ubiquiti devices I think also offer detailed DNS logging but not sure.
I believe unifi offers aggregated dns logs ootb but you could always set up more detailed ones on the gateway itself.
My suggestion would be to configure your own router using a Linux distro. It's not as difficult as it sounds, the kernel already does most of the heavy lifting. All you need to really do is enable packet forwarding and configure the firewall using iptables rules (block all in, allow all out is a reasonable default). I use Unbound as my recursive DNS resolver, together with Hagezi's blacklists to provide DNS filtering. I filter ports 53 and 853, and filter by IP known public DNS servers (Hagezi maintains a list). DHCP is provided by the isc-dhcp-server package on Debian.
That's a more or less complete home router, with plenty on spare resources to run internal or external services like a Wireguard tunnel, file server, or the Docker/Podman runtime.
That being said, I still wouldn't connect a "smart" TV to the Internet. There are better options like a Linux HTPC.
Pfsense firewall. There is a week long learning curve and it’s best to put it on dedicated hardware.