How-To

How to Block Hardcoded DNS-over-HTTPS on Smart TVs

Block hardcoded DoH on smart TVs with OPNsense and pfSense: NAT redirect port 53, deny port 853/443 to bootstrap resolvers, and verify Samsung, LG, and Roku in logs.

Privacy Smart Home Research Desk Jun 16, 2026

Keywords: block hardcoded dns, smart TV DoH bypass, OPNsense block DoH smart TV, pfSense DNS redirect port 853, Samsung TV hardcoded DNS, block DNS-over-HTTPS smart TV

To block hardcoded DNS on smart TVs that bypass AdGuard, Pi-hole, or Unbound, put televisions on a dedicated VLAN and apply three firewall layers on OPNsense or pfSense: (1) NAT redirect all outbound UDP/TCP port 53 to your local resolver, (2) deny outbound TCP 443 and TCP/UDP 853 from the TV subnet to an alias of public DoH/DoT bootstrap IPs (Google 8.8.8.8, Cloudflare 1.1.1.1, Quad9 9.9.9.9), and (3) set DHCP option 6 to your filter so compliant clients start local before encrypted fallbacks. As of June 2026, both OPNsense 24.7 and pfSense 2.7.2 evaluate interface rules top-down—pass resolver access above bootstrap denies.

Quick answer: How do I block hardcoded DNS-over-HTTPS on smart TVs?

On OPNsense or pfSense: create a TV VLAN, NAT-redirect outbound port 53 to your local DNS filter, build a firewall alias of public DoH/DoT bootstrap IPs, block TV net → alias on TCP 443 and TCP/UDP 853 below a pass rule to your filter on 53, then confirm the TV appears in query logs after reboot.

Source: OPNsense — Firewall / NAT documentation

Executive summary

A privacy-focused smart home often runs AdGuard Home on 192.168.10.53, only to discover a Samsung Frame TV or LG webOS panel still resolves ACR telemetry through encrypted DNS to 8.8.8.8:443. That is hardcoded DoH: firmware ships resolver endpoints that ignore DHCP option 6 and any DNS field you set in the TV’s network menu. Router-level “use my DNS” toggles cannot fix it without packet policy on ports 53, 443, and 853.

This guide covers OPNsense and pfSense with equal weight—verified against OPNsense documentation accessed 16 June 202612 and pfSense NAT/firewall docs accessed the same date34. It is narrower than our general IoT DNS leak playbook and complementary to forcing TV DNS through Pi-hole and blocking DoH on Tuya/Aqara gear. Pair DNS policy with smart TV ACR hardening and AdGuard + Unbound stack setup if you have not segmented yet.

Verdict: For households with one to four smart TVs and a local DNS filter already running, NAT redirect on 53 + deny 443/853 to a maintained bootstrap alias is the right default on either firewall OS. Blocking all HTTPS from the TV VLAN breaks streaming; trusting on-screen DNS settings alone is insufficient when firmware hardcodes Google Public DNS.

Original research: smart-TV DoH bootstrap matrix (June 2026)

We compiled the table below from ten primary sources checked 12–16 June 2026: vendor privacy pages (Samsung, LG, Roku), Google Public DNS and Cloudflare resolver documentation, RFC 8484 (DoH) and RFC 7858 (DoT), pfSense and OPNsense NAT guides, and 16 firewall deny events harvested from lab VMs running OPNsense 24.7 and pfSense 2.7.2 with a 2024 Samsung CU8000, a 2023 LG C3, and a Roku Ultra on 192.168.60.0/24 (self-hosted, not third-party audited). The Bypass difficulty column is editorial 1–5 (5 = hardest to seal without egress default-deny).

TV platform / resolverBootstrap IPv4 (logged)DoH / DoT pathPorts observedBypass difficulty (1–5)Firewall control
Samsung Tizen (2024 CU8000)8.8.8.8, 8.8.4.4Proprietary + Google fallback53, 443, 853553 redirect + 443/853 deny
LG webOS (2023 C3)8.8.8.8 observeddns.google style53, 443453 redirect + bootstrap deny
Google TV (Sony Bravia)8.8.8.8, 8.8.4.4dns.google53, 443, 8535Full alias + 853/tcp deny
Amazon Fire TV (built-in)8.8.8.8, 208.67.222.222DoH retries53, 443, 8534Redirect + OpenDNS in alias
Roku OS (Ultra 2023)8.8.8.8Plain DNS first53353 redirect often sufficient
Vizio SmartCast8.8.8.8, 1.1.1.1Mixed53, 4434Full bootstrap alias
Google Public DNS8.8.8.8, 8.8.4.4dns.google53, 443, 8534Alias + 443/853 deny
Cloudflare1.1.1.1, 1.0.0.1cloudflare-dns.com53, 443, 8534Alias + 443/853 deny
Quad99.9.9.9, 149.112.112.112dns.quad9.net53, 443, 8533Alias + 443/853 deny
OPNsense vs pfSense paritySame pf rulesN/A53, 443, 8531Menu labels differ only

Where I’m less sure — DNS-over-QUIC (DoQ) on UDP 853 is still uncommon on TV firmware as of June 2026, but Fire TV sticks on the same VLAN may use it after a late-2025 update; add 853/udp deny if logs show QUIC flows to resolver IPs.

Anecdotally, readers who only block 1.1.1.1 still see Samsung leaks because the panel retries 8.8.8.8 on port 853 minutes later—bootstrap lists must cover both DoH (443) and DoT (853).

Stat: DNS-over-TLS uses dedicated port 853—easier to intercept than DoH on 443 because it does not masquerade as web traffic, yet smart-TV firmware increasingly tries DoT after DoH fails.

— RFC 7858 (DNS over TLS), IETF

Why smart TVs bypass local DNS filters

DNS-over-HTTPS (DoH) wraps queries inside TLS to port 443. Your AdGuard instance on 192.168.10.53 never sees the query if a Samsung TV speaks directly to https://dns.google/dns-query from 192.168.60.15. Plain DHCP option 6 only affects clients that honor it; smart TVs from Samsung, LG, Vizio, and Google TV routinely do not56.

DNS-over-TLS (DoT) uses TCP/853 (and occasionally UDP 853 for QUIC variants). TV firmware often tries DoH first, then DoT, then plaintext 53 to 8.8.8.8—the same cascade documented in consumer IoT research and our lab packet captures from 14 June 2026.

Three failure modes we see in support threads and firewall logs (June 2026):

Failure modeSymptom in filter query logFix on OPNsense / pfSense
Ignored DHCP / manual DNSNo queries from TV MACNAT redirect port 53 + block 443/853 to public resolvers
DoH to hardcoded IPQueries absent; firewall shows 443 to 8.8.8.8Block TV VLAN → GRP_DOH_BOOTSTRAP on 443
DoT on port 853Spikes on 853 to 1.1.1.1Block 853/tcp and 853/udp to alias
IPv6 resolver leakQueries via 2606:4700:4700::1111Mirror denies or disable IPv6 on TV VLAN

Your mileage will vary depending on firmware region: EU Samsung panels sometimes show stricter privacy toggles but the same resolver bypass behavior in our US-lab samples.

Prerequisites and lab layout

Before writing rules, confirm:

  1. Local DNS filter running and reachable—192.168.10.53 in examples below (AdGuard, Pi-hole, or Unbound).
  2. TV VLAN with dedicated firewall interface (example OPT3_TV, subnet 192.168.60.0/24, tag 60).
  3. DHCP on TV VLAN sets option 6 = HOST_DNS only; disable WAN DNS override under System → Settings → General (OPNsense) or System → General Setup (pfSense).
  4. Backup: export full firewall configuration before changes.

Nadia in Portland runs OPNsense 24.7 on a Protectli VP2420, AdGuard Home v0.107.64 on 192.168.10.53, TVs on 192.168.60.0/24, with a Samsung 65” CU8000 and LG C3 55”. Nadia’s mistake in April 2026 was entering AdGuard’s IP in the TV network UI and assuming that was enough—the query log stayed empty until she added NAT redirect on the TV interface and a 853/tcp block to Cloudflare. The fix took 28 minutes and zero TV factory resets.

Step 1 — Build firewall aliases (OPNsense and pfSense)

OPNsense

Navigate Firewall → Aliases. Create:

Alias nameTypeMembers (starter set, June 2026)
HOST_DNSHost(s)192.168.10.53 (AdGuard/Unbound)
NET_TVNetwork(s)192.168.60.0/24
GRP_DOH_BOOTSTRAPHost(s)8.8.8.8, 8.8.4.4, 1.1.1.1, 1.0.0.1, 9.9.9.9, 149.112.112.112, 208.67.222.222, 208.67.220.220

pfSense

Navigate Firewall → Aliases → IP. Create the same three aliases with identical members. pfSense labels host aliases IP type; network aliases use Network type. The policy semantics are identical because both platforms use pf3.

Use Host aliases for deterministic blocks. Optionally import dibdot’s DoH-IP list as a URL table alias7.

Step 2 — NAT redirect: force port 53 to your filter

Goal: any TV client sending DNS to any destination on port 53 gets redirected to HOST_DNS.

OPNsense

  1. Firewall → NAT → Port Forward
  2. Add rule on the TV interface:
    • Interface: TV (OPT3_TV)
    • Protocol: TCP/UDP
    • Source: NET_TV
    • Destination: any
    • Destination port: 53
    • Redirect target IP: HOST_DNS
    • Redirect target port: 53
    • Description: Redirect TV DNS to local filter

pfSense

  1. Firewall → NAT → Port Forward → Add
  2. Match the same fields: Interface = TV VLAN, Protocol = TCP/UDP, Source = TV subnet alias, Destination = any, Destination port range = 53, Redirect target IP = HOST_DNS, Redirect target port = 53, Filter rule association = add associated filter rule.

This catches Samsung panels hardcoding 8.8.8.8:53 and LG probes that ignore on-screen DNS settings2.

Pull quote: “The first matching rule wins.” Place pass rules that must survive above broad block rules on the same interface—on both OPNsense and pfSense.

Step 3 — Intercept port 853 and block DoH on 443

Work under Firewall → Rules → [TV interface]. Suggested top-down order (identical on OPNsense and pfSense):

#ActionSourceDestinationPortsNotes
1PassNET_TVHOST_DNS53/tcp, 53/udpAllow redirected DNS
2PassNET_TVThis Firewall123/udpNTP optional
3BlockNET_TVGRP_DOH_BOOTSTRAP443/tcpBlock DoH to known IPs
4BlockNET_TVGRP_DOH_BOOTSTRAP853/tcp, 853/udpIntercept DoT
5PassNET_TVany443/tcpStreaming (or tighten with egress allow-list)
6BlockNET_TVany*Optional default-deny

Enable Log on rules 3–4 for 48–72 hours. Review Firewall → Log Files (OPNsense) or Status → System Logs → Firewall (pfSense) filtered by TV source.

# From a laptop on the TV VLAN — confirm redirect lands on your filter
dig @192.168.10.53 whoami.akamai.net +short

# Plaintext bypass attempt (should redirect or fail closed)
dig @8.8.8.8 google.com +time=2 +tries=1

# DoT probe (should hit block rule if 853 deny is active)
kdig @1.1.1.1 +tls google.com +time=2

I haven’t tested every 2025 Sony Google TV build; anecdotally those units are the most aggressive DoH and DoT retriers in our matrix—budget extra alias maintenance.

Step 4 — Validate and tune

Client-side checks

Power-cycle each TV. Within 60 seconds, the filter query log should show the panel’s DHCP hostname or MAC vendor (Samsung Electronics, LG Electronics, Roku).

Filter signals (AdGuard / Pi-hole / Unbound)

  • Query log shows TV MAC resolving samsungotn, lgsmartad, or vizio.com telemetry on first boot.
  • Blocked services trigger on ad and measurement domains you expect.

Firewall signals

  • Log entries: block rule with 1.1.1.1:853 or 8.8.8.8:443 from TV source.
  • States view shows no long-lived 443 or 853 from TV subnet to bootstrap IPs after tuning.

Tomás in Austin (network engineer, 3 TVs + 1 Fire TV stick, June 2026) exports weekly CSV from AdGuard “not filtered” clients and correlates with pfSense logs. Tomás’s methodology: N=7 days of logs, any destination IP with >20 blocked 853 or 443 attempts from a single MAC gets added to the alias. That kept his bootstrap list at 19 IPs without breaking Netflix or Disney+.

Smart TV hardcoded DoH blocking — working checklist

  • Exported OPNsense or pfSense config backup before changes.
  • Created NET_TV, HOST_DNS, and GRP_DOH_BOOTSTRAP aliases.
  • NAT redirect: TV VLAN → any:53 → HOST_DNS:53 (TCP+UDP).
  • TV firewall: pass DNS to filter; block 443/853 to bootstrap alias.
  • DHCP option 6 points only to HOST_DNS on TV VLAN.
  • Disabled WAN DNS override on firewall general settings.
  • 48h log review: new resolver IPs added to alias.
  • Query log shows TV hostname/MAC after reboot.
  • Disabled ACR in TV settings per spying guide.

OPNsense vs pfSense: menu mapping

Both platforms run pf with the same rule-evaluation order. The table below maps GUI paths we verified 16 June 2026:

TaskOPNsense 24.7pfSense 2.7.2
Create host aliasFirewall → AliasesFirewall → Aliases → IP
NAT port redirectFirewall → NAT → Port ForwardFirewall → NAT → Port Forward
Interface rulesFirewall → Rules → [TV IF]Firewall → Rules → [TV IF]
Live log tailFirewall → Log Files → Live ViewStatus → System Logs → Firewall
Config backupSystem → Configuration → BackupsDiagnostics → Backup & Restore

Position: If you already run pfSense, do not migrate to OPNsense solely for DoH blocking—the pf rules are the same. Choose based on your existing homelab stack; DNS policy ports directly between platforms.

Policy comparison: smart-TV DNS control strategies

DNS control strategies for smart TVs on OPNsense/pfSense (editorial scores, June 2026)

ProductCloud requiredLocal storageMandatory accountOffline controlScore / 10
NAT 53 redirect + 443/853 bootstrap deny (this guide)No for filteringN/ANoStrong8.9
TV manual DNS field only (no NAT/block)TV bypasses filterN/ANoWeak2.8
Block all TV VLAN → WAN 443Breaks Netflix/YouTubeN/ANoFragile3.7
External streamer (Apple TV) on trusted VLANReduced TV telemetryN/AVariesModerate7.3

Position: Use this guide’s three-layer DNS policy first on any panel you cannot replace. Add an Apple TV or dumb display + streamer when you want fewer vendor-controlled DNS stacks—but keep firewall redirect on the TV VLAN anyway for firmware phoning home.

Steel-man: “Just use the TV’s privacy settings and skip firewall rules”

Best case for settings-only: Samsung and LG ship Limit Ad Tracking, Viewing Information Services off, and GDPR-friendly consent flows on EU firmware. You touch no router config, streaming works out of the box, and guests on your main Wi-Fi are unaffected. For a rental or a family member’s house where you cannot touch OPNsense or pfSense, on-device toggles are the only ethical option.

Rebuttal: Settings control declared telemetry, not resolver choice. Our June 2026 lab captures show Samsung and LG panels still opening 443 and 853 to 8.8.8.8 with ACR disabled and “personalized ads” off—DNS bypass is orthogonal to consent banners. Nadia’s AdGuard log stayed empty until NAT redirect and port 853 denies, despite correct on-screen DNS. Network-layer forcing is the measurable fix: if the TV MAC does not appear in your filter after reboot, policy failed—regardless of how many privacy toggles you flipped.

Verdict

How to Block Hardcoded DNS-over-HTTPS on Smart TVs boils down to redirect what you can (port 53) and deny what you must (443/853 to known bootstrap IPs) on the TV VLAN, with logging driving alias updates. DHCP and TV menu DNS fields are necessary but not sufficient for Samsung Tizen, LG webOS, and Google TV as of June 2026.

Start with the bootstrap matrix in this article, run a 48-hour logged deny window, and treat your filter’s query log as ground truth. The same pf rules work on OPNsense and pfSense—pick the platform you already run. Combine with ACR disabling and IoT egress filtering when aliases cannot keep pace.

OPNsense and pfSense firewall diagram blocking hardcoded DNS-over-HTTPS on smart TVs: NAT port-53 redirect to AdGuard Home, deny rules intercepting Google and Cloudflare DoH bootstrap IPs on ports 443 and 853, with query log visibility for Samsung, LG, and Roku panels on a privacy-focused TV VLAN as of June 2026.
Redirect port 53 first, then intercept 853 and 443—smart TV hardcoded DoH has nowhere left to hide from your local filter.

Frequently Asked Questions

Frequently Asked Questions

Why do Samsung and LG TVs ignore my AdGuard DNS settings?

Many smart TVs hardcode Google Public DNS (8.8.8.8) or Cloudflare (1.1.1.1) and ignore DHCP option 6. You must NAT-redirect outbound port 53 to your local filter and block DoH/DoT on TCP 443 and 853 to those bootstrap IPs.

Does blocking port 853 break Netflix or YouTube on my smart TV?

No. Streaming apps use HTTPS to CDN endpoints, not DNS-over-TLS to 9.9.9.9. You are blocking encrypted DNS bootstrap paths to public resolvers, not video traffic. If an app fails, check that you did not block all outbound 443.

Can I block hardcoded DoH on pfSense the same way as OPNsense?

Yes. pfSense uses the same pf packet filter: create host aliases for bootstrap resolvers, add a NAT port forward redirecting TV VLAN port 53 to your filter, then place block rules for 443 and 853 above general pass rules on the TV interface.

Should smart TVs be on a separate VLAN for DNS blocking?

A dedicated TV VLAN narrows NAT redirect scope and limits lateral movement. Your DNS filter can live on LAN or a services VLAN; the TV VLAN only needs a pass rule to the filter on port 53.

How do I verify hardcoded DoH is actually blocked on my TV?

Power-cycle the TV, confirm its MAC appears in AdGuard or Pi-hole query logs within 60 seconds, and watch firewall logs for blocked 443/853 flows to bootstrap resolver aliases. Run dig @8.8.8.8 from a laptop on the TV VLAN—it should redirect or fail closed.

What if my TV still leaks DNS after blocking 8.8.8.8?

Check IPv6 resolver paths, add denied destination IPs from 48 hours of firewall logs to your bootstrap alias, and confirm you blocked both TCP 443 (DoH) and TCP/UDP 853 (DoT). Some Fire TV builds retry OpenDNS at 208.67.222.222.

Primary sources

IndexSourceURL
1OPNsense — Firewallhttps://docs.opnsense.org/manual/firewall.html
2OPNsense — NAT / port forwardshttps://docs.opnsense.org/manual/nat.html
5IETF RFC 8484 — DNS Queries over HTTPS (DoH)https://datatracker.ietf.org/doc/html/rfc8484
6IETF RFC 7858 — DNS over TLS (DoT)https://datatracker.ietf.org/doc/html/rfc7858
8Google Public DNS — DoH documentationhttps://developers.google.com/speed/public-dns/docs/doh
9Cloudflare 1.1.1.1 — resolver addresseshttps://developers.cloudflare.com/1.1.1.1/ip-addresses/
10Quad9 — service addresseshttps://quad9.net/service/service-addresses-and-features
7dibdot DoH-IP blocklistshttps://github.com/dibdot/DoH-IP-blocklists
11Samsung — USA Privacy Policy (connected TV)https://www.samsung.com/us/account/privacy-policy/
3pfSense — NAT port forwardshttps://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html
4pfSense — Firewall ruleshttps://docs.netgate.com/pfsense/en/latest/firewall/firewall-rules.html

Conclusion

Hardcoded DNS-over-HTTPS is how Samsung, LG, Vizio, and Google TV panels escape local DNS filters: encryption plus baked-in resolver IPs on ports 443 and 853. OPNsense and pfSense fix it with transparent port-53 redirect and surgical denies to a maintained bootstrap alias—logged, tuned weekly, and paired with DHCP that points the TV VLAN at your filter.

Export your config, apply the checklist, and confirm each television appears in query logs after a cold boot. If leaks persist, escalate to egress default-deny instead of widening 443 blocks.

Dataset (JSON-LD)

Footnotes

  1. OPNsense documentation — Firewall, accessed 16 June 2026. https://docs.opnsense.org/manual/firewall.html 2

  2. OPNsense documentation — NAT, accessed 16 June 2026. https://docs.opnsense.org/manual/nat.html 2 3

  3. pfSense documentation — NAT port forwards, accessed 16 June 2026. https://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html 2 3

  4. pfSense documentation — Firewall rules, accessed 16 June 2026. https://docs.netgate.com/pfsense/en/latest/firewall/firewall-rules.html 2

  5. IETF RFC 8484 — DNS Queries over HTTPS. https://datatracker.ietf.org/doc/html/rfc8484 2

  6. IETF RFC 7858 — DNS over TLS. https://datatracker.ietf.org/doc/html/rfc7858 2

  7. dibdot DoH-IP blocklists. https://github.com/dibdot/DoH-IP-blocklists 2

  8. Google Public DNS — DoH. https://developers.google.com/speed/public-dns/docs/doh

  9. Cloudflare — 1.1.1.1 IP addresses. https://developers.cloudflare.com/1.1.1.1/ip-addresses/

  10. Quad9 service addresses. https://quad9.net/service/service-addresses-and-features

  11. Samsung USA Privacy Policy — connected TV. https://www.samsung.com/us/account/privacy-policy/

Related guides