Is a DNS blackhole the right way to restrict your TV from doing bad things? The software running on the device might not even use DNS lookups to connect to hosts as it pleases. Your router is probably the better place to add guardrails.
I recommend putting all these things on their own VLANs with strict routing rules.
For example my STB is on a VLAN that has WAN access (otherwise it won't do anything), but that makes it untrustworthy so it is completely isolated from rest of LAN.
On the other hand some "smart"/IoT devices are on a VLAN that has no WAN access so that they can't phone home, become a botnet, or download firmware updates that remove functionality in favor of subscription services. Only a VM running homeassistant can talk to them.
This will work until amazon sidewalk / built-in LTE modems become too frequent, at that point I'll have to start ripping out the radio modules from things I buy.
Call me pessimistic, but as the sidewalk pattern becomes more common for IoT, I wouldn’t be surprised if a “malfunctioning radio” just results in the device not working properly.
Smart/iot devices using DoH (or other encrypted DNS) is a headache that would need to be solved at the router (mitming/redirecting to your preferred provider? or straight up blocking) with a big blocklist. Unfortunate what a double-edged sword DoH is becoming.
It’s a start for sure, a TV that’s really out to track you might well be able to circumvent these blocks, but most TVs (and indeed most tracking technologies on the web) to my understanding are not so sophisticated. For the average person who wants to enjoy some of the smart features of their TV this is a good compromise.
And I’m not sure what you mean by the router being the better place to add guardrails. What sort of guardrails can you possibly add outside of blocking internet access outright to the TV? It would be near impossible to distinguish between legitimate traffic and ad/tracking traffic without resorting to something like SNI sniffing which again can be bypassed.
Thanks for giving my glib comment the credibility it didn't deserve.
Less flippantly, I'm worried it will be sooner rather than later that someone figures out how to route the telemetry and ads over the same TLS endpoint as the bona fide services. At that point it's game over, and I don't think it needs much "sophistication". Just a different path on the same HTTPS endpoint...
