this post was submitted on 26 Nov 2023
2 points (75.0% liked)
Homelab
371 readers
9 users here now
Rules
- Be Civil.
- Post about your homelab, discussion of your homelab, questions you may have, or general discussion about transition your skill from the homelab to the workplace.
- No memes or potato images.
- We love detailed homelab builds, especially network diagrams!
- Report any posts that you feel should be brought to our attention.
- Please no shitposting or blogspam.
- No Referral Linking.
- Keep piracy discussion off of this community
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
A DNS filter (Pihole) will only stop the TV from DNS resolution, and won't necessarily stop it from trying to phone home to some dodgy servers if the IP addresses of said dodgy servers are baked into the OS.
I don't fully understand why you are concerned about what the TV can access on WAN, and not about what the TV can access on LAN? Put it on its own subnet if you're worried about it sending information back about other devices on your network.
Good point about DNS filter. As for LAN vs WAN, It seems easier to secure your own lan? I don't want the TV acting as a bot net or reporting stuff to some server. So it seems like securing it to only access certain domains would be useful.
If your router supports it, place the TV on it's own vlan.
I think pi holes only go so far. Unless you also block outbound DNS and have IPS/IDS setup to catch and block it on other ports and via encapsulation inside https... it's just another loosing battle.
If I was a TV manufacturer I'd give absolute fuck all about the DNS address assigned to the TV by your router.... or ANY DNS server that has a RFC1918 address. I'd be writing code that would try to hit DNS on the internet that I can use, possibly on a different port than 53 or via HTTPS tunnel.. I'd also have a few DNS entries hardcoded to IP's owned by the TV manufacturer or a subsidiary or even something in Azure/AWS....aside from trying the obvious 1.1.1.1 and 8.8.8.8 and ensuring the records I need are on those servers..
If you want to create a deny all rule and then spend weeks surfing firewall logs, creating allow rules randomly and via trial and error because half the shit doesn't work on the TV and you didn't write the code so you basically are guesing and googling what it needs to talk to.... have at it. Or. Never connect the TV to the internet. Ever.
Problem is the internet isn't a bunch of domains, but IP addresses. So, google or netflix use a large set of rotating, load balanced, IP addresses for their services and they use domains (and dns resolution at the edge) to provide an IP address for the server closest to you and available at that time.
have you *heard* of Anycast my person
every device should only have the access it needs. On trust and untrusted. It’s prudent to make sure a chinesium Roku TV can’t phone home to its manufacturer and can only talk to Roku and Netflix.
There’s a shitton of data a TV could send back home without access to the rest of the network. I mean, many tvs now have microphones.