Roku somewhat recently decided to hardcode Google’s DNS servers in their devices. That bypasses any DNS blacklisting/adblocking I’ve got set up.
I wanted to block my Roku from talking to the Google DNS (or maybe any DNS outside my network). I went to LuCI and Network, Firewall and finally Traffic Rules, where I set the following:
This seems to result in the following rules in iptables:
zone_wan_dest_REJECT tcp -- anywhere dns.google tcp dpt:domain MAC xx:xx:xx:xx:xx:xx /* !fw3: Block Google DNS */ zone_wan_dest_REJECT udp -- anywhere dns.google udp dpt:domain MAC xx:xx:xx:xx:xx:xx /* !fw3: Block Google DNS */
“dns.google” resolves to 126.96.36.199 and 188.8.131.52. I still see the Roku talking to 184.108.40.206 and 220.127.116.11 according to Pakon. The iptables rules seem specific enough, but perhaps I should make it as a custom rule:
zone_wan_dest_DROP tcp -- anywhere 18.104.22.168 tcp dpt:domain MAC xx:xx:xx:xx:xx:xx
Or is filtering by MAC address not effective with iptables?