After installing Pi-Hole on my Raspberry Pi -- I started to notice that my Samsung 'UN60F6350 Smart TV' was pretty much evil (As others are also finding out). Despite having every 'auto update' feature turned off, I noticed it was calling home a lot. Like, a whole lot. Like ... yeah ... wtf.
$ cat /var/log/pihole.log | grep -c samsung 5837
So, I stared to dig thru the log files and came up with a custom list of url's that it was hitting. It was quite a few, 26 to be exact. Actually, it started as 25. But, this smart TV is crafty. Since Pi-Hole is pretty much just a way to locally poison your DNS, once the 'Smart TV' started to notice that DNS was failing, it started to try and use it's own DNS server.
Jan 26 13:09:17 dnsmasq: query[A] ns11.whois.co.kr from 192.168.1.27
... Then again, if DNS is failing, why query DNS to find your backup server? tsk. tsk.
So, I created a gist file on Github, and put all the entries I found coming from my TV in there.
Next, update the 'Ad-list sources' in the /usr/local/bin/gravity.sh file to include the new block list.
# Ad-list sources--one per line in single quotes # The mahakala source is commented out due to many users having issues with it blocking legitimate domains. # Uncomment at your own risk sources=('https://adaway.org/hosts.txt' 'http://adblock.gjtech.net/?format=unix-hosts' 'http://hosts-file.net/ad_servers.txt' 'http://www.malwaredomainlist.com/hostslist/hosts.txt' 'http://pgl.yoyo.org/adservers/serverlist.php?' 'https://gist.githubusercontent.com/celly/1591cf9305734812baad/raw/' 'http://winhelp2002.mvps.org/hosts.txt')
Tip: if you want sites to automatically be added every time you update the gist, don't use the 'raw' URL for the gist revision. Instead, use the 'raw' url for the file itself. The easiest way to do that is to just add '/raw' to the end of the url.
Finally, log into the pi-hole and re-run the gravity.sh command. Or, you can just wait until the nightly update runs.
$ /usr/local/bin/gravity.sh ** Neutrino emissions detected... Getting adaway.org list: No changes detected, transport skipped... Getting adblock.gjtech.net list: No changes detected, transport skipped... Getting hosts-file.net list: List updated, transport successful... Getting www.malwaredomainlist.com list: No changes detected, transport skipped... Getting pgl.yoyo.org list: List updated, transport successful... Getting gist.githubusercontent.com list: List updated, transport successful... Getting winhelp2002.mvps.org list: No changes detected, transport skipped... ** Aggregating list of domains... ** Blacklisting 11 domain(s)... ** Whitelisting 2 domains... ** Whitelisting 7 ad list sources... ** 65469 domains being pulled in by gravity... ** 59999 unique domains trapped in the event horizon. ** Formatting domains into a HOSTS file... ** Refresh lists in dnsmasq...
One side effect of this, is now all the apps on the TV no longer work, since the TV thinks internet is down, so for example it won't even attempt to load NetFlix without giving connectivity errors. So, technically, it would just be easier to disable Wifi/Ethernet for the same result. But, I have decided against this, just so I can keep an eye on what the TV tries to do.
Bonus: Two fun commands to see who is doing bad things, or has bad DNS cache are:
What is being queried, and by whom:
$ cat /var/log/pihole.log | grep query | cut -d" " -f 6,8 | sort | uniq -c | sort -n ... 12 star-mini.c10r.facebook.com 192.168.1.36 13 star.c10r.facebook.com 192.168.1.36 16 ssl.google-analytics.com 192.168.1.2 489 ns11.whois.co.kr 192.168.1.27 9759 cdn.samsungcloudsolution.com 192.168.1.27
Who is querying DNS the most:
$ cat /var/log/pihole.log | grep query | cut -d" " -f 8 | sort | uniq -c | sort -n ... 16 192.168.1.9 19 192.168.1.10 21 192.168.1.25 22 192.168.1.19 339 192.168.1.36 358 192.168.1.2 10288 192.168.1.27 <--- Samsung. :(
Just note, that the pihole.log file resets every night. So, the later in the day you try this, the more info you'll have.