Help with iptables rules

Roku somewhat recently decided to hardcode Google’s DNS servers in their devices. That bypasses any DNS blacklisting/adblocking I’ve got set up.

I wanted to block my Roku from talking to the Google DNS (or maybe any DNS outside my network). I went to LuCI and Network, Firewall and finally Traffic Rules, where I set the following:

blockgoogledns949×102 30.7 KB

This seems to result in the following rules in iptables:

zone_wan_dest_REJECT  tcp  --  anywhere             dns.google           tcp dpt:domain MAC xx:xx:xx:xx:xx:xx /* !fw3: Block Google DNS */
zone_wan_dest_REJECT  udp  --  anywhere             dns.google           udp dpt:domain MAC xx:xx:xx:xx:xx:xx /* !fw3: Block Google DNS */

“dns.google” resolves to 8.8.8.8 and 8.8.4.4. I still see the Roku talking to 8.8.8.8 and 8.8.4.4 according to Pakon. The iptables rules seem specific enough, but perhaps I should make it as a custom rule:

zone_wan_dest_DROP  tcp  --  anywhere             8.8.8.8           tcp dpt:domain MAC xx:xx:xx:xx:xx:xx

Or is filtering by MAC address not effective with iptables?

That is a forwarding rule whist the traffic is outbound and not being forwarded by the R device.

Perhaps instead of attempting to block the DNS queries from the R devices, which likely would cease its connectivity, it would seem to make sense to redirect that traffic to the DNS resolver instance of your choice instead. Though that might fail depending of how R has implemented the hardcoding, i.e. whether it accepts returns from other sources than those being hardcoded.