[tmottabr]

i just block the DNS traffic that is not going to your local DNS.

I use AdGuard Home, find it better then Pi-Hole, and it use DoT for queries (can do that with Pi-hole but you need to set up a proxy for that manually) so i just block anything in port 53 that the destination is not my internal DNS.

[giantg2]

Yeah, but I mean they aren't looking up DNS entries and using hard-coded addresses. So they don't use port 53.

https://www.reddit.com/r/Roku/comments/602cnk/is_there_any_o...

[tmottabr]

The DNS server is hardcoded, so they use the DNS server that Samsung want instead of your local. But it will failover to local network DNS if it fail to connect to the hardcoded server as far as i know.

It is not the ads server that is hardcoded. I doubt they will ever do that because that is hard to manage and does not escale.

So there will be traffic in port 53 that will be captured and redirected to my local dns server.

[nixgeek]

What about clients using DoH?

[tmottabr]

i block DoT and DNS-over-Quic since they use specific ports.

DoH is hard but most devices that i worrie about does not use it yet so i am not doing anything.

If this start becoming a problem either we will need to build a list of DoH server addresses to blacklist and this will be a cat and mouse game. Or you will need a https middlebox to look at what is in there to see if it is DoH and block or not, and that bring a whole lot of other problems.