Your Roku is Spying On You

s0c9 said:
To be honest - I didn't read the entire thread, but I fixed this issue late last year.
I dumped all my "home" router gear and installed a Ubiquiti network behind my cable modem (300 mbps). I added a USG, 2 * Switch 8-60w and 2 & AP AC PRO wap's.
All my iOT devices (google, thermostat, fridge, etc.) are on an isolated "iot" network. They can scan all day long and all they will see is each other. They have no access to my other segmented networks.
I have 3 others.. 1 is guest, where I throttle bandwidth and kick them off after 4 hrs - stops my kids friends from hogging bandwidth for their games.
Another is for admin purposes (my back door) , and the 3rd is the generic home network most folks have - for pc's phones, etc.
Click to expand...

This is what I've been planning for a while now but haven't gotten around to tackling the implementation.
 
iaresee said:
None that I know of, sorry. Home routers don’t support this stuff. Not in their interests.
Click to expand...
I believe DD-WRT supports some of the features mentioned, but getting a new paperweight 'cus you bricked the router is no fun.
Yes, for years I was forced to buy "open source" capable routers, so I could install DD-WRT. WhY? 'Cus most home units simply did not provide the granular level of control I wanted.

In my case (last Dec), Ubiquiti (while def more $$ than a TOTL home router) solved MOST of my concerns. VLAN's, DPI, guest network controls, band favoring, and so on.
Just finished doing as USG upgrade :)
 
s0c9 said:
I believe DD-WRT supports some of the features mentioned, but getting a new paperweight 'cus you bricked the router is no fun.
Yes, for years I was forced to buy "open source" capable routers, so I could install DD-WRT. WhY? 'Cus most home units simply did not provide the granular level of control I wanted.

In my case (last Dec), Ubiquiti (while def more $$ than a TOTL home router) solved MOST of my concerns. VLAN's, DPI, guest network controls, band favoring, and so on.
Just finished doing as USG upgrade :)
Click to expand...
I'm going to try DD-WRT this weekend before I do the cash outlay on Ubiquiti gear.
 
plexi59 said:
Just so you know, that server is managed by an advertising company (Google) and it most definitely logs every single request forever. At least 1.1.1.1 _promises_ not to log, and subjects itself to yearly audits by a somewhat trusted entity.
Click to expand...

I've been using 1.1.1.1 and 1.0.0.1 for my DNS resolvers since that service was announced. Cloudflare's promise to not use the DNS requests for identification/tracking is one I feel I can trust, especially since they are audited by a third party and they go to great lengths to explain how, and why, they are offering this service. They wipe data after 24 hours, won't record IP addresses, etc.

Short of using newer, emerging DNS technology (DNS-over-TLS, DNS-over-HTTPS, both of which have some drawbacks and are a work in progress), as well as not running your own DNS and/or VPN service, Cloudflare's DNS offerings at 1.1.1.1 and 1.0.0.1 are the next best things to ensure a reasonably private DNS service that respects privacy and won't use the data gathered for tracking/harvesting to identify users...and they won't sell data to third parties.

As well, those resolvers are consistently the fastest public DNS resolvers. I've run my own DNS benchmarks on dozens of public/ISP DNS providers and it always ranks first, which jives with many reports I've read.

8.8.8.8 and 8.8.4.4 are public DNS servers managed by Google...if your looking for privacy/lack of tracking, etc. those are two that should absolutely be avoided.
 
Last edited:
plexi59 said:
I believe Cloudflare also supports at least one of the secure DNS variants you mentioned. I haven’t set that up yet, but I will soon.
Click to expand...

They support both of those new DNS protocols; it's on my to-do list to experiment with them. I seem to recall that you need DNS client software to support those services. I have to re-visit that as it's been several months since I investigated them.
 
iaresee said:
They have DNSSEC now.
Click to expand...

Just to elaborate further on that, with regards to privacy, etc., DNSSEC is a secure protocol for guaranteeing the integrity of DNS requests, verification/communication between DNS servers, etc. It provides authentication/integrity for requests but adds no 'functionality' for confidentiality/privacy concerns.
 
Last edited:
I have been trying to get pi-hole to block ads but no noticeable success so far. The web UI tells me that it's blocking about 1% of queries, and the main ones are similar to what the OP listed but I still see ads everywhere. I think it could have something to do with my network (map below)?

Also I have not been able to use the Pi-hole as DHCP server. Connections to routers gets cut each time I do try to do it (i.e. turn on Pi-hole DHCP and switch off other routers DHCPs).

Did I put the Pi-hole in the wrong place? I think I really need a strategy before going at it again, because my family are getting tired of me messing around with their internet (and my wife won't let me stay up too late lol).10092018124437-0001.jpg
 
@JJunkie I'd plug the pi-hole into your Asus router and give it a static IP on the Asus subnet. And then I'd tell the Asus to use the Pi-Hold for primary DNS and ignore whatever the WAN side gets from the Netcomm router via DHCP..

I wouldn't put in on your Netcomm -- it could mess with your house alarm in ways you don't want. Set your NetComm to use your ISPs DNS here, is my recommendation. Otherwise support for your house alarm might be problematic.
 
iaresee said:
@JJunkie I'd plug the pi-hole into your Asus router and give it a static IP on the Asus subnet. And then I'd tell the Asus to use the Pi-Hold for primary DNS and ignore whatever the WAN side gets from the Netcomm router via DHCP..

I wouldn't put in on your Netcomm -- it could mess with your house alarm in ways you don't want. Set your NetComm to use your ISPs DNS here, is my recommendation. Otherwise support for your house alarm might be problematic.
Click to expand...

Thanks mate, really appreciate the suggestion.

EDIT: yes! This is working thanks @iaresee
 
Last edited:
I'm a little over a week into this now. Here's some updates, in picture format. For the past 24 hours:

Screen Shot 2018-09-10 at 9.48.11 PM.png

Screen Shot 2018-09-10 at 9.48.18 PM.png

That TCL Roku TV is largely responsible for all the Roku traffic. The waston.telemetry.microsoft.com endpoint is the two Xboxes in the house -- until this weekend that wasn't in my top list, but after a few hours of playing Destiny 2 with the kids on Sunday it was way up there. They love to send data home. Amazon is the Echo and the Echo Tap I suspect -- both of those are heading out. We don't use them enough for me to care to keep them on our network.
 
I finally got a little time, and had an extra Pi sitting around. Other then POS Windows 10 not wanting to see the sd card, setting it up on the macbook was easy. It's catching all the traffic as I type this, so all is good. Fun going to a site you know is probably bad, and seeing the pile of new blocks.

I normally run a pretty insane hosts file on my main desktop, and that blocks all the facebook tracking, as well as others, as well as running a handful of browser plugins taking care of cookies, scritps, etc. I like this though, as it's catching everything on the network, tv, roku, router, etc.

Thanks for the thread. I've known about the project a while, but probably wouldn't have gotten around to it without this.
 
You must log in or register to reply here.
Back
Top Bottom