Adware.
Past the paywall: 12ft |
My strategy then is to get a good deal on a TV but use none of its "smarts." AppleTV is on HDMI 1 for Channels DVR, along with everything else. Works for me.
2 Likes
It takes a lot to get this done though. Even if you don't use their apps, modern TVs literally capture your screen and report them up using that data to log what you're watching.
There are privacy controls on some of these TVs, and a lot of them reset when you update, and it's not entirely clear if turning these features off actually stop the behavior.
Your best bet is to unplug ethernet or disconnect wifi completely, and only connect it to update firmware, or do it via a USB thumb drive.
This usually sucks because then it means you can't add your TV to your home automation. And controlling a tv is a big part of home automation. Walking past a room and asking a voice assistant to turn the tv off is a huge benefit.
One option is to keep it off the network, and control it with something like a Harmony Hub, which would allow you to turn it on/off etc without actually interacting with the TV directly, allowing it to stay off the network.
Another option is a custom DNS server that blocks routes that the TV uses to upload data, this can get finicky, and software like PiHole can really cause problems with other devices, but you can always point JUST your TVs at the custom DNS server.
So there's lots of ways to handle this, fight the good fight!
1 Like
I really don't care if my TV knows what I'm watching.
2 Likes
100% agree on fighting the fight! One of my primary motivations for using Apple gear is that I don't want to be the product. All TV's are off the LAN/WAN &we have been able to migrate all of them to Apple TV only on HDMI 1.
1 Like
Yea, sucks.
My solution is no LAN cable or wireless. I wonder how long before the TV makers start putting cell network chips in them to report data (CPAP machines do this for "insurance purposes").
Yep and some smart TV and Android-based assistant devices have hard-coded DNS, too. 
I've got AdGuard Home running on an RPi on my LAN (personally I prefer it to the similar PiHole)
Why do patients do use these devices? They are being peddled harder than timeshares.
I'd like to hear more about this, being the co-creator of Pi-hole and all...
1 Like
I have it running but not using it. I really like the ability to block records of a specific type. I used to block AAAA and HTTPS records. Now I am waiting for this functionality to be merged into dnsmasq. Might take a while unless somebody submits a patch 
My point was the unexpected results when blocking DNS on certain devices. Things stop working in very unexpected ways, that are not immediately clear why.
2 Likes
I use a Firewalla at the edge of our network and there’s a quarantine rule that denies all Internet traffic; this way the TV has an address on the local network, can be controlled by Alexa, Siri, etc (via local Homebridge extension) yet can’t send/receive anything out over the Internet.
Not to mention the Firewalla runs Bro/Zeek and it so much as sneezes there’s a notification!
Since you asked, when I setup PiHole and was using it my iOS devices would constantly hang when loading pages in Safari. I eventually discovered I needed to set BLOCK_ICLOUD_PR. It would be nice if that setting was better documented, available via the UI instead of just env var, or if PiHole wasn't broken by default for iOS devices.
1 Like
Yes, as the old adage goes: "It's always DNS". But that isn't something that is limited to Pi-hole of course, any and all DNS sinkholes are in that realm. We do make it very easy to exclude certain devices from any blocking so you don't have to manually configure the client(s) or segment the network management with multiple DHCP pools.
That is not the intended behavior and not something I've seen much of. The documentation for that feature is at Configuration - Pi-hole documentation
and it is based on the Apple recommendations for allowing traffic audits Prepare Your Network or Web Server for iCloud Private Relay - Support - Apple Developer
Private Relay will bypass your local management and will render Pi-hole useless.
Private Relay protects users’ web browsing in Safari, DNS resolution queries, and insecure http app traffic.
If you would like to we can examine that issue further but we have many users on iOS and I don't think it's an accurate statement to say that Pi-hole is broken by default for iOS devices. I'm sure I'd have a few tens of thousands of users screaming for my head on the reddit sub if we ever did that.
2 Likes
I have always just disabled iCloud private relay on my local network that has my pihole. I’ve never set that variable.
My thought was I’d rather have the pihole controlling the filtering.
Is this a correct assumption @dschaper
I never noticed the safari loading issues, but that may be because very early on I got an iOS notification about iCloud private relay incompatibility. At that time I made the choice to disable iCloud relay on my home network and not set the variable.
We submit anything that is applicable to dnsmasq up to Simon Kelley as a matter of practice. That feature is being tuned right now and I think is set to be in the next dnsmasq release with a lot more flexibility.
https://www.mail-archive.com/[email protected]/msg16822.html
FYI the latest code allows you to do --filter-rr=HTTPS and it's cleverer about using cache: if any query for a domain has already been answered and cached then it uses that to decide if the answer should be NXDOMAIN or NODATA and doesn't forward the query. If that's enough depends on your resolver implementation, I guess.
Cheers,
Simon.
Pi-hole is set to answer queries to those two canary domains with NXDOMAIN, very similar to the Firefox DoH canary domain process.
Private Relay is incompatible with any locally set DNS server, among other things. Everything goes to Apple's infrastructure, DNS, and proxy servers when Private Relay is enabled.
Separately, but also related, is MAC randomization. If you are using Pi-hole's groups and have identified clients then a change in MAC address may not link the client to the group. You should only have to disable the MAC randomization once and that MAC address should stay the same for that specific WiFi network.
2 Likes
The answer should always be NODATA. Answering NXDOMAIN is asking for trouble.
Last week I could not get Fubo to play anything from the Fubo app on Apple TV, I suspected it might be my pihole, so I flushed the logs and logged on to Fubo, and guess what? blue-midas.fubo.tv was being blocked. I whitelisted and now it works fine.
This is not always possible. I bought a cheap TV about 2 years ago that was nearly impossible to power up without an internet connection. I eventually found a way, but it required 5 steps with each power up. I returned the TV and bought an LG which works fine.