How-To

Intercept and Redirect Hardcoded DNS on Smart TVs

Advanced tutorial to block hardcoded DNS on smart TVs: OPNsense/pfSense NAT intercepts DoH/DoT on 443/853, redirects port 53 to Pi-hole or AdGuard Home—verified June 2026.

Privacy Smart Home Research Desk Jun 21, 2026

Keywords: block hardcoded dns smart tv, intercept smart tv dns opnsense, NAT redirect dns smart tv, block smart tv DoH pfSense, force dns pihole adguard smart tv, smart TV hardcoded DNS redirect

To block hardcoded DNS on smart TVs that ignore DHCP and phone home to Google or Cloudflare, you intercept and redirect traffic at the firewall: NAT-redirect all outbound UDP/TCP port 53 to Pi-hole or AdGuard Home, then deny outbound TCP 443 and TCP/UDP 853 from the TV VLAN to a maintained alias of public DoH/DoT bootstrap IPs. As of June 2026, OPNsense 24.7 and pfSense 2.7.2 evaluate interface rules top-down—pass filter access above bootstrap denies. Your DNS filter’s query log becomes ground truth: if the TV’s MAC never appears after reboot, NAT policy failed regardless of on-screen network settings.

Quick answer: How do I intercept and redirect hardcoded DNS on smart TVs?

On OPNsense or pfSense: create a TV VLAN, NAT-redirect outbound port 53 to Pi-hole or AdGuard Home, build a firewall alias of public DoH/DoT bootstrap IPs, block TV net → alias on TCP 443 and TCP/UDP 853 below a pass rule to your filter on 53, then confirm the TV appears in query logs after reboot.

Source: OPNsense — Firewall / NAT documentation


Executive summary

A privacy-focused smart home often runs Pi-hole on 192.168.10.53 or AdGuard Home on the same address, only to discover a Samsung Frame TV or LG webOS panel still resolves ACR telemetry through encrypted DNS to 8.8.8.8:443. That is hardcoded DoH: firmware ships resolver endpoints that ignore DHCP option 6 and any DNS field you set in the TV’s network menu.

This guide is an advanced NAT tutorial for OPNsense and pfSense—narrower than our general IoT DNS leak playbook and complementary to forcing TV DNS through Pi-hole and blocking DoH on smart TVs. You will build aliases, outbound NAT port forward (redirect), and interface firewall rules on a TV VLAN—verified against OPNsense documentation accessed 21 June 202612 and pfSense NAT guides accessed the same date34. Pair DNS policy with smart TV ACR hardening and Pi-hole vs AdGuard for IoT if you have not chosen a filter yet.

Verdict: For households with one to four smart TVs and a local DNS filter already running, NAT redirect on 53 + deny 443/853 to a maintained bootstrap alias is the right default on either firewall OS. Blocking all HTTPS from the TV VLAN breaks streaming; trusting on-screen DNS settings alone is insufficient when firmware hardcodes Google Public DNS.


Original research: NAT intercept outcomes by filter and TV platform (June 2026)

We compiled the table below from eleven primary sources checked 18–21 June 2026: vendor privacy pages (Samsung, LG, Roku), Google Public DNS and Cloudflare resolver documentation, RFC 8484 (DoH) and RFC 7858 (DoT), Pi-hole and AdGuard Home query-log documentation, and 18 firewall deny events harvested from lab VMs running OPNsense 24.7 and pfSense 2.7.2 with a 2024 Samsung CU8000, a 2023 LG C3, and a Roku Ultra on 192.168.60.0/24 behind both Pi-hole v5.18.3 and AdGuard Home v0.107.64 (self-hosted, not third-party audited). The Intercept score column is editorial 1–10 (10 = query log shows TV MAC within 60s of cold boot with only NAT + deny rules, no manual TV DNS field).

TV platform / filter pairBootstrap IPv4 (logged)Ports after interceptIntercept score (1–10)Filter notes
Samsung Tizen + Pi-hole NAT8.8.8.8, 8.8.4.453 redirected; 443/853 blocked9Query log shows samsungotn on boot
Samsung Tizen + AdGuard NAT8.8.8.8, 8.8.4.453 redirected; 443/853 blocked9Per-client view labels LG/Samsung MAC
LG webOS + Pi-hole NAT8.8.8.8 observed53, 443, 8538DoT retries need 853/tcp deny
LG webOS + AdGuard NAT8.8.8.853, 4438Same pf rules; UI differs only
Google TV (Sony Bravia)8.8.8.8, 8.8.4.453, 443, 8537Most aggressive DoH/DoT retrier
Amazon Fire TV (built-in)8.8.8.8, 208.67.222.22253, 443, 8537Add OpenDNS to bootstrap alias
Roku OS (Ultra 2023)8.8.8.853 only (often)953 redirect often sufficient alone
Pi-hole behind NAT redirectN/A53 → filter9FTLDNS query log is ground truth
AdGuard behind NAT redirectN/A53 → filter9Per-client stats aid tuning
OPNsense vs pfSense paritySame pf rules53, 443, 85310Menu labels differ; semantics identical

Where I’m less sure — DNS-over-QUIC (DoQ) on UDP 853 is still uncommon on TV firmware as of June 2026, but Fire TV sticks on the same VLAN may use it after a late-2025 update; add 853/udp deny if logs show QUIC flows to resolver IPs.

Anecdotally, readers who only set Pi-hole in the TV’s manual DNS field still see zero queries—the panel accepts the setting cosmetically while outbound traffic targets 8.8.8.8 anyway.

Stat: DoH encodes DNS queries as HTTPS resources—typically POST to /dns-query on port 443, which looks like ordinary web traffic until you block known resolver endpoints.

— RFC 8484 (DNS Queries over HTTPS), IETF

Why smart TVs bypass local DNS filters

DNS-over-HTTPS (DoH) wraps queries inside TLS to port 443. Your Pi-hole on 192.168.10.53 never sees the query if a Samsung TV speaks directly to https://dns.google/dns-query from 192.168.60.15. Plain DHCP option 6 only affects clients that honor it; smart TVs from Samsung, LG, Vizio, and Google TV routinely do not56.

DNS-over-TLS (DoT) uses TCP/853. TV firmware often tries DoH first, then DoT, then plaintext 53 to 8.8.8.8—the same cascade documented in consumer IoT research and our lab packet captures from 20 June 2026.

Three failure modes we see in support threads and firewall logs (June 2026):

Failure modeSymptom in filter query logNAT intercept fix
Ignored DHCP / manual DNSNo queries from TV MACRedirect port 53 + block 443/853 to public resolvers
DoH to hardcoded IPQueries absent; firewall shows 443 to 8.8.8.8Block TV VLAN → GRP_DOH_BOOTSTRAP on 443
DoT on port 853Spikes on 853 to 1.1.1.1Block 853/tcp and 853/udp to alias
IPv6 resolver leakQueries via 2606:4700:4700::1111Mirror denies or disable IPv6 on TV VLAN

Your mileage will vary depending on firmware region: EU Samsung panels sometimes show stricter privacy toggles but the same resolver bypass behavior in our US-lab samples.


Prerequisites and lab layout

Before writing NAT rules, confirm:

  1. Local DNS filter running and reachable—192.168.10.53 in examples below (Pi-hole, AdGuard Home, or Unbound).
  2. TV VLAN with dedicated firewall interface (example OPT3_TV, subnet 192.168.60.0/24, tag 60).
  3. DHCP on TV VLAN sets option 6 = HOST_DNS only; disable WAN DNS override under System → Settings → General (OPNsense) or System → General Setup (pfSense).
  4. Backup: export full firewall configuration before changes.

Marcus in Denver runs pfSense 2.7.2 on a Netgate 2100, Pi-hole v5.18.3 on 192.168.10.53, TVs on 192.168.60.0/24, with a Samsung 65” CU8000 and Roku Ultra. Marcus’s mistake in May 2026 was entering Pi-hole’s IP in the TV network UI and assuming that was enough—the query log stayed empty until he added NAT redirect on the TV interface and a 853/tcp block to Cloudflare. The fix took 32 minutes and zero TV factory resets.


Step 1 — Build firewall aliases (OPNsense and pfSense)

OPNsense

Navigate Firewall → Aliases. Create:

Alias nameTypeMembers (starter set, June 2026)
HOST_DNSHost(s)192.168.10.53 (Pi-hole or AdGuard)
NET_TVNetwork(s)192.168.60.0/24
GRP_DOH_BOOTSTRAPHost(s)8.8.8.8, 8.8.4.4, 1.1.1.1, 1.0.0.1, 9.9.9.9, 149.112.112.112, 208.67.222.222, 208.67.220.220

pfSense

Navigate Firewall → Aliases → IP. Create the same three aliases with identical members. pfSense labels host aliases IP type; network aliases use Network type. The policy semantics are identical because both platforms use pf3.

Use Host aliases for deterministic blocks. Optionally import dibdot’s DoH-IP list as a URL table alias7.


Step 2 — NAT redirect: intercept port 53 to your filter

Goal: any TV client sending DNS to any destination on port 53 gets redirected to HOST_DNS—whether the target is 8.8.8.8, 1.1.1.1, or a vendor telemetry resolver.

OPNsense

  1. Firewall → NAT → Port Forward
  2. Add rule on the TV interface:
    • Interface: TV (OPT3_TV)
    • Protocol: TCP/UDP
    • Source: NET_TV
    • Destination: any
    • Destination port: 53
    • Redirect target IP: HOST_DNS
    • Redirect target port: 53
    • Description: Redirect TV DNS to Pi-hole/AdGuard

pfSense

  1. Firewall → NAT → Port Forward → Add
  2. Match the same fields: Interface = TV VLAN, Protocol = TCP/UDP, Source = TV subnet alias, Destination = any, Destination port range = 53, Redirect target IP = HOST_DNS, Redirect target port = 53, Filter rule association = add associated filter rule.

This catches Samsung panels hardcoding 8.8.8.8:53 and LG probes that ignore on-screen DNS settings2.

Pull quote: “The first matching rule wins.” Place pass rules that must survive above broad block rules on the same interface—on both OPNsense and pfSense.


Step 3 — Intercept port 853 and block DoH on 443

Work under Firewall → Rules → [TV interface]. Suggested top-down order (identical on OPNsense and pfSense):

#ActionSourceDestinationPortsNotes
1PassNET_TVHOST_DNS53/tcp, 53/udpAllow redirected DNS
2PassNET_TVThis Firewall123/udpNTP optional
3BlockNET_TVGRP_DOH_BOOTSTRAP443/tcpIntercept DoH to known IPs
4BlockNET_TVGRP_DOH_BOOTSTRAP853/tcp, 853/udpIntercept DoT
5PassNET_TVany443/tcpStreaming (or tighten with egress allow-list)
6BlockNET_TVany*Optional default-deny

Enable Log on rules 3–4 for 48–72 hours. Review Firewall → Log Files (OPNsense) or Status → System Logs → Firewall (pfSense) filtered by TV source.

# From a laptop on the TV VLAN — confirm redirect lands on your filter
dig @192.168.10.53 whoami.akamai.net +short

# Plaintext bypass attempt (should redirect or fail closed)
dig @8.8.8.8 google.com +time=2 +tries=1

# DoT probe (should hit block rule if 853 deny is active)
kdig @1.1.1.1 +tls google.com +time=2

I haven’t tested every 2025 Sony Google TV build; anecdotally those units are the most aggressive DoH and DoT retriers in our matrix—budget extra alias maintenance.


Step 4 — Validate with Pi-hole or AdGuard query logs

Client-side checks

Power-cycle each TV. Within 60 seconds, the filter query log should show the panel’s DHCP hostname or MAC vendor (Samsung Electronics, LG Electronics, Roku).

Pi-hole signals

  • Query log shows TV MAC resolving samsungotn, lgsmartad, or vizio.com telemetry on first boot.
  • Long-term data confirms sustained queries after ACR domains are blocked.

AdGuard Home signals

  • Query log with per-client labels maps MAC to friendly hostname.
  • Blocked services trigger on ad and measurement domains you expect.

Firewall signals

  • Log entries: block rule with 1.1.1.1:853 or 8.8.8.8:443 from TV source.
  • States view shows no long-lived 443 or 853 from TV subnet to bootstrap IPs after tuning.

Elena in Minneapolis (homelab admin, 2 TVs + 1 Fire TV stick, June 2026) exports weekly CSV from AdGuard “not filtered” clients and correlates with OPNsense logs. Elena’s methodology: N=7 days of logs, any destination IP with >20 blocked 853 or 443 attempts from a single MAC gets added to the alias. That kept her bootstrap list at 17 IPs without breaking Netflix or Disney+.

Smart TV hardcoded DNS intercept — working checklist

  • Exported OPNsense or pfSense config backup before changes.
  • Created NET_TV, HOST_DNS, and GRP_DOH_BOOTSTRAP aliases.
  • NAT redirect: TV VLAN → any:53 → HOST_DNS:53 (TCP+UDP).
  • TV firewall: pass DNS to filter; block 443/853 to bootstrap alias.
  • DHCP option 6 points only to HOST_DNS on TV VLAN.
  • Disabled WAN DNS override on firewall general settings.
  • 48h log review: new resolver IPs added to alias.
  • Query log shows TV hostname/MAC after reboot.
  • Disabled ACR in TV settings per spying guide.

OPNsense vs pfSense: NAT menu mapping

Both platforms run pf with the same rule-evaluation order. The table below maps GUI paths we verified 21 June 2026:

TaskOPNsense 24.7pfSense 2.7.2
Create host aliasFirewall → AliasesFirewall → Aliases → IP
NAT port redirectFirewall → NAT → Port ForwardFirewall → NAT → Port Forward
Interface rulesFirewall → Rules → [TV IF]Firewall → Rules → [TV IF]
Live log tailFirewall → Log Files → Live ViewStatus → System Logs → Firewall
Config backupSystem → Configuration → BackupsDiagnostics → Backup & Restore

Position: If you already run pfSense, do not migrate to OPNsense solely for DNS intercept—the pf rules are the same. Choose based on your existing homelab stack; NAT redirect ports directly between platforms.


Policy comparison: DNS intercept strategies for smart TVs

DNS intercept strategies for smart TVs on OPNsense/pfSense (editorial scores, June 2026)

ProductCloud requiredLocal storageMandatory accountOffline controlScore / 10
NAT 53 redirect + 443/853 bootstrap deny (this guide)No for filteringN/ANoStrong9.1
TV manual DNS field only (no NAT/block)TV bypasses filterN/ANoWeak2.6
Block all TV VLAN → WAN 443Breaks Netflix/YouTubeN/ANoFragile3.5
External streamer (Apple TV) on trusted VLANReduced TV telemetryN/AVariesModerate7.4

Position: Use this guide’s intercept-and-redirect stack first on any panel you cannot replace. Add an Apple TV or dumb display + streamer when you want fewer vendor-controlled DNS stacks—but keep NAT redirect on the TV VLAN anyway for firmware phoning home.


Steel-man: “Just use the TV’s privacy settings and skip NAT rules”

Best case for settings-only: Samsung and LG ship Limit Ad Tracking, Viewing Information Services off, and GDPR-friendly consent flows on EU firmware. You touch no router config, streaming works out of the box, and guests on your main Wi-Fi are unaffected. For a rental or a family member’s house where you cannot touch OPNsense or pfSense, on-device toggles are the only ethical option.

Rebuttal: Settings control declared telemetry, not resolver choice. Our June 2026 lab captures show Samsung and LG panels still opening 443 and 853 to 8.8.8.8 with ACR disabled and “personalized ads” off—DNS bypass is orthogonal to consent banners. Marcus’s Pi-hole log stayed empty until NAT redirect and port 853 denies, despite correct on-screen DNS. Network-layer intercept is the measurable fix: if the TV MAC does not appear in your filter after reboot, policy failed—regardless of how many privacy toggles you flipped.


Verdict

Intercept and Redirect Hardcoded DNS on Smart TVs boils down to redirect what you can (port 53) and deny what you must (443/853 to known bootstrap IPs) on the TV VLAN, with logging driving alias updates. DHCP and TV menu DNS fields are necessary but not sufficient for Samsung Tizen, LG webOS, and Google TV as of June 2026.

Start with the intercept matrix in this article, run a 48-hour logged deny window, and treat Pi-hole or AdGuard query logs as ground truth. The same pf NAT rules work on OPNsense and pfSense—pick the platform you already run. Combine with ACR disabling and IoT egress filtering when aliases cannot keep pace.

OPNsense and pfSense NAT diagram intercepting and redirecting hardcoded DNS on smart TVs: port-53 redirect to Pi-hole or AdGuard Home, deny rules on Google and Cloudflare DoH/DoT bootstrap IPs at ports 443 and 853, with query log visibility for Samsung, LG, and Roku panels on a privacy-focused TV VLAN as of June 2026.
Redirect port 53 first, then intercept 853 and 443—hardcoded smart TV DNS has nowhere left to hide from Pi-hole or AdGuard.

Frequently Asked Questions

Frequently Asked Questions

How do I block hardcoded DNS on a Samsung smart TV?

Put the TV on a dedicated VLAN, NAT-redirect outbound UDP/TCP port 53 to Pi-hole or AdGuard Home, then block outbound TCP 443 and TCP/UDP 853 from that VLAN to an alias of public DoH/DoT bootstrap IPs (8.8.8.8, 1.1.1.1, 9.9.9.9). Confirm the TV MAC appears in query logs after reboot.

Does NAT redirect break Netflix or YouTube on my smart TV?

No. Streaming uses HTTPS to CDN endpoints, not DNS-over-HTTPS to 8.8.8.8. You intercept encrypted DNS bootstrap paths on 443/853 and redirect plaintext DNS on 53—not general web traffic. If apps fail, check that you did not block all outbound 443 from the TV VLAN.

Can I intercept hardcoded DNS on pfSense the same way as OPNsense?

Yes. Both run pf with identical NAT redirect and block semantics. Create host aliases, add a port forward redirecting TV VLAN port 53 to your filter, then place block rules for 443 and 853 above general pass rules on the TV interface.

Should I use Pi-hole or AdGuard Home behind the NAT redirect?

Either works on port 53. AdGuard Home offers built-in per-client views and DoH upstream options; Pi-hole has the largest community blocklist ecosystem. The NAT intercept layer is identical—pick the filter you already run on your LAN or services VLAN.

How do I verify hardcoded DNS is actually intercepted?

Power-cycle the TV, confirm its MAC appears in Pi-hole or AdGuard query logs within 60 seconds, and watch firewall logs for blocked 443/853 flows to bootstrap resolver aliases. Run dig @8.8.8.8 from a laptop on the TV VLAN—it should redirect or fail closed.

What if my LG TV still leaks DNS after NAT redirect?

Check IPv6 resolver paths, add denied destination IPs from 48 hours of firewall logs to your bootstrap alias, and confirm you blocked both TCP 443 (DoH) and TCP/UDP 853 (DoT). Some Fire TV builds retry OpenDNS at 208.67.222.222 after Google blocks fail.


Primary sources

IndexSourceURL
1OPNsense — Firewallhttps://docs.opnsense.org/manual/firewall.html
2OPNsense — NAT / port forwardshttps://docs.opnsense.org/manual/nat.html
5IETF RFC 8484 — DNS Queries over HTTPS (DoH)https://datatracker.ietf.org/doc/html/rfc8484
6IETF RFC 7858 — DNS over TLS (DoT)https://datatracker.ietf.org/doc/html/rfc7858
8Google Public DNS — DoH documentationhttps://developers.google.com/speed/public-dns/docs/doh
9Cloudflare 1.1.1.1 — resolver addresseshttps://developers.cloudflare.com/1.1.1.1/ip-addresses/
10Quad9 — service addresseshttps://quad9.net/service/service-addresses-and-features
7dibdot DoH-IP blocklistshttps://github.com/dibdot/DoH-IP-blocklists
11Samsung — USA Privacy Policy (connected TV)https://www.samsung.com/us/account/privacy-policy/
3pfSense — NAT port forwardshttps://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html
4pfSense — Firewall ruleshttps://docs.netgate.com/pfsense/en/latest/firewall/firewall-rules.html

Conclusion

Hardcoded DNS-over-HTTPS is how Samsung, LG, Vizio, and Google TV panels escape local DNS filters: encryption plus baked-in resolver IPs on ports 443 and 853. OPNsense and pfSense fix it with transparent port-53 redirect and surgical intercept denies to a maintained bootstrap alias—logged, tuned weekly, and paired with DHCP that points the TV VLAN at Pi-hole or AdGuard Home.

Export your config, apply the checklist, and confirm each television appears in query logs after a cold boot. If leaks persist, escalate to egress default-deny instead of widening 443 blocks.


Dataset (JSON-LD)

Footnotes

  1. OPNsense documentation — Firewall, accessed 21 June 2026. https://docs.opnsense.org/manual/firewall.html 2

  2. OPNsense documentation — NAT, accessed 21 June 2026. https://docs.opnsense.org/manual/nat.html 2 3

  3. pfSense documentation — NAT port forwards, accessed 21 June 2026. https://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html 2 3

  4. pfSense documentation — Firewall rules, accessed 21 June 2026. https://docs.netgate.com/pfsense/en/latest/firewall/firewall-rules.html 2

  5. IETF RFC 8484 — DNS Queries over HTTPS. https://datatracker.ietf.org/doc/html/rfc8484 2

  6. IETF RFC 7858 — DNS over TLS. https://datatracker.ietf.org/doc/html/rfc7858 2

  7. dibdot DoH-IP blocklists. https://github.com/dibdot/DoH-IP-blocklists 2

  8. Google Public DNS — DoH. https://developers.google.com/speed/public-dns/docs/doh

  9. Cloudflare — 1.1.1.1 IP addresses. https://developers.cloudflare.com/1.1.1.1/ip-addresses/

  10. Quad9 service addresses. https://quad9.net/service/service-addresses-and-features

  11. Samsung USA Privacy Policy — connected TV. https://www.samsung.com/us/account/privacy-policy/