Block updates. DNS way. No root needed

[Ighor]

Here is instructions of how to block Updates on a Fire TV.

Important!

• Recently a Fire TV update released, it blocks any way to disable auto updates, except this one
• Some ISP are replacing client DNS requests by their own answers, in that case this method won't work.
• DNS configuration saved per access point, if you connect to another Wi-Fi you need to enter the DNS again.
• If you connect a VPN, DNS settings will be ignored, so you can use VPN only if it works per app and not system wide.
• No PC needed

Step by step instruction

1. Go to your Fire TV Network settings and remove all networks except one you going to use. (Menu -> OK)
2. While connected to the Wi-Fi network you use, go to My Fire TV -> About -> Network and save "IP Address", "Gateway", "Subnet Mask" somewhere, or take a picture
3. Go to Network settings and remove your Wi-Fi connection
4. Start connecting to your Wi-Fi access point again, enter password but don't press Next
5. Press "Advanced" button at the bottom center
6. Enter the IP Address saved in the 2. step and press Next
7. Enter the Gateway address saved in the 2. step and press Next
8. Enter Network Prefix Length, get it from this page using "Subnet Mask" saved in the step 2. and press Next
9. Enter DNS address, pick up nearest one from the list below, and press Next
   • USA: 104.154.51.7
   • Europe: 104.155.28.90
   • Asia: 104.155.220.58
   • South America: 35.199.88.219
   • Australia and Oceania: 35.189.47.23
10. Skip "DNS 2" configuration and press "Connect"
11. Wait for the Captive Portal opened. If it is opened it will the proof that DNS is working! Either it means that update blocking not work for you.
12. In the Captive Portal use remote control buttons to navigate Menu -> Settings -> Fire TV -> Close Captive Portal
13. Press Back button on the remote control
14. Press Play/Pause button on selected wifi network to check network status, it should show the online status
15. Go to My Fire TV -> About -> Check for Updates and if you see "Update Error" message, it is working

While the DNS settings are there, you are safe to stay on current firmware, and no updates going to be installed in background.

To test does your ISP/router replacing DNS requests, you can use this command:
nslookup test.idns [DNS SERVER]
In result it should produce the line with 1.2.3.4 address, it means it is working fine for you.

If you find any issues, please write them in comments.

--------

Disable OTA if you have a root rights, no DNS needed, run as root in shell:

mount -o rw,remount /system

echo -e '\n0.0.0.0 softwareupdates.amazon.com' > /etc/hosts

 

[jazzh]

Great, thank you.

 

[USAMac]

I'd like to give this a try later.. Excited for it to work. Can you please proofread #11 and clarify, mostly the 2nd half? Seems a critical point in the process.

 

[Finnzz]

@Ighor Thanks.

Who's DNS servers are these?

I'm assuming that Amazon update servers have been blocked from these DNS servers, I'm just wondering who's managing them?

Alternatively, you can block updates through your router. Blocking updates on the FireTV itself is best and easiest, second best option is via your router, and last resort is DNS.

An old walkthrough that talks about all the ways of blocking updates and the benefits of each

How to block software updates on the Amazon Fire TV or Fire TV Stick

All versions of the Amazon Fire TV will download and install software updates automatically. There is no option to disable or reject software updates. Whether you have a rooted Fire TV or not, this guide will show you all the methods for blocking software updates on Fire TV devices.

www.aftvnews.com

 

[Ighor]

Who's DNS servers are these?

It is my servers, running since 2014 for different purposes. Since my DNS engine is very flexible I can create a rules to provide different features for different devices. So Fire TV support is now added.
For example in Open DNS you can't create rules for *amazon*updates*, but my server has those possibilities, it catching regional and any possible new domains also.

 

[Finnzz]

It is my servers, running since 2014 for different purposes. Since my DNS engine is very flexible I can create a rules to provide different features for different devices. So Fire TV support is now added.
For example in Open DNS you can't create rules for *amazon*updates*, but my server has those possibilities, it catching regional and any possible new domains also.

Ok, yeah I figured someone needed to be managing the Amazon addresses The more options the better.

Why do you have different servers for different regions? Are your servers physically looking located in different parts of the world?

Are your servers going to be able to handle thousands of FireTV devices?

 

[Ighor]

Are your servers physically looking located in different parts of the world?

Yes. So you get lower ping if you choose nearest one.

Are your servers going to be able to handle thousands of FireTV devices?

It handles millions of requests every day with 2% CPU usage, so answer is yes.

 

[Finnzz]

Ok thank you!

I have to say I have one big concern. Using the DNS servers of a private individual that you don't know is a bit of a security risk, and can be used in malicious ways.

What Is DNS, and Should I Use Another DNS Server?

It makes the web go round.

www.howtogeek.com

However, if your computer or network is pointed at a malicious DNS server set up by a scammer, the malicious DNS server could respond with a different IP address entirely. In this way, it’s possible that you could see “facebook.com” in your browser’s address bar, but you may not actually be at the real facebook.com. Behind the scenes, the malicious DNS server has pointed you to a different IP address.

I appreciate the gesture you are making to help everyone out, but I'm also wondering how the average user can determine if the DNS servers are trustworthy?

I don't mean to offend you, but being cautious is always best when it comes to security.

It's similar to recommending that you only install apps from trusted sources, and only give ADB access to very trusted sources.

When a stranger offers you a ride home you take a greater risk than if you use public transportation lol

 

[Ighor]

Using the DNS servers of a private individual that you don't know is a bit of a security risk, and can be used in malicious ways.

I'm also wondering how the average user can determine if the DNS servers are trustworthy?

That is fair thing to worry about if you are using unknown DNS on your PC. Since the risk is in you, when you enter the website, you may not notice that you are forgot to add https:// but using http://, or you may mistakenly agree to trust unknown certificate if prompted. In that case someone can see your traffic.

But if you use that with the device, there is no choice, it always uses https:// so if someone will try to catch your traffic, they will fail with ssl errors. So technically you don't have to trust a DNS server or a VPN if you are entering that to your Android/iOS device (and not using Internet browsers).

Anyway if anyone replaces DNS records by malicious IP address, at least some users can notice the certificate warnings and report them. In another cases websites may notify you about unusual logins, from another countries (if someone have catch your unencrypted traffic). I never did anything like that so you won't find any reports about my DNS servers.

 

[Finnzz]

Anyway if anyone replaces DNS records by malicious IP address, at least some users can notice the certificate warnings and report them. I never did anything like that so you won't be able to find any reports about my DNS servers.

Yeah sorry, I hate to bring it up. I think everyone knows they take a risk when installing new apps, but far less know the potential of a malicious DNS server. I don't like asking the questions, because just the question insinuates something negative. Nothing against you personally.

Thank you for sharing your DNS. Hopefully you can save a few FireTV users on your arc before the next update that really does some damage.

 

[TakeTheActive]

Here is instructions of how to block Updates on a Fire TV...

@Ighor...Alternatively, you can block updates through your router. Blocking updates on the FireTV itself is best and easiest, second best option is via your router, and last resort is DNS.

An old walkthrough that talks about all the ways of blocking updates and the benefits of each

How to block software updates on the Amazon Fire TV or Fire TV Stick

All versions of the Amazon Fire TV will download and install software updates automatically. There is no option to disable or reject software updates. Whether you have a rooted Fire TV or not, this guide will show you all the methods for blocking software updates on Fire TV devices.

www.aftvnews.com

Ok thank you!

I have to say I have one big concern. Using the DNS servers of a private individual that you don't know is a bit of a security risk, and can be used in malicious ways...

...I appreciate the gesture you are making to help everyone out, but I'm also wondering how the average user can determine if the DNS servers are trustworthy?

I don't mean to offend you, but being cautious is always best when it comes to security...

...I hate to bring it up. I think everyone knows they take a risk when installing new apps, but far less know the potential of a malicious DNS server. I don't like asking the questions, because just the question insinuates something negative. Nothing against you personally...

I certainly appreciate the GENEROSITY of a "Technologically Competent" person offering their services to "Technologically Incompetent" folks, but *WHY* would someone TRUST a stranger to block specific DNS addresses when they could:

1. Block them locally on THEIR OWN router?
2. Block them locally on THEIR OWN DHCP server (I use Pi-Hole on a Raspberry Pi 3B)?
3. Block them with (well-known, established) OpenDNS (Method 4 on the AFTVNews article, as per the LINK posted by @Finnzz )?
4. TBD...

 

[Sus_i]

I certainly appreciate the GENEROSITY of a "Technologically Competent" person offering their services

Yeah, really nice

but *WHY* would someone TRUST a stranger to block specific DNS addresses when they could:

1. Block them locally on THEIR OWN router?
2. Block them locally on THEIR OWN DHCP server (I use Pi-Hole on a Raspberry Pi 3B)?
3. Block them with (well-known, established) OpenDNS (Method 4 on the AFTVNews article, as per the LINK posted by @Finnzz )?
4. TBD...

If you set up a local proxy server with a program like charles proxy or mitm, you can see all the traffic the fireTV generates on your PC... you see all the data, in listings, well ordered by process.
Almost all of this traffic and data is useless crap, since almost all of this stuff is encrypted.
Only thing readable is advertising sh*t and some meta statistics.

Anyways, a DNS server wont sniff any of this data, it gets only DNS requests, so it will most likely be perfectly fine and a very convenient method for users (users without a pi-hole or a capable router, capable to block encrypted DNS requests).

Btw, it's also a working and very common method to block updates on homebrewed PS4 and nintendo switch devices

 

[ruky23]

Here is instructions of how to block Updates on a Fire TV.

Important!

• Recently a Fire TV update released, it blocks any way to disable auto updates, except this one
• Some ISP are replacing client DNS requests by their own answers, in that case this method won't work.
• DNS configuration saved per access point, if you connect to another Wi-Fi you need to enter the DNS again.
• If you connect a VPN, DNS settings will be ignored, so you can use VPN only if it works per app and not system wide.
• No PC needed

Step by step instruction

1. Go to your Fire TV Network settings and remove all networks except one you going to use. (Menu -> OK)
2. While connected to the Wi-Fi network you use, go to My Fire TV -> About -> Network and save "IP Address", "Gateway", "Subnet Mask" somewhere, or take a picture
3. Go to Network settings and remove your Wi-Fi connection
4. Start connecting to your Wi-Fi access point again, enter password but don't press Next
5. Press "Advanced" button at the bottom center
6. Enter the IP Address saved in the 2. step and press Next
7. Enter the Gateway address saved in the 2. step and press Next
8. Enter Network Prefix Length, get it from this page using "Subnet Mask" saved in the step 2. and press Next
9. Enter DNS address, pick up nearest one from the list below, and press Next
   • USA: 104.154.51.7
   • Europe: 104.155.28.90
   • Asia: 104.155.220.58
   • South America: 35.199.88.219
   • Australia and Oceania: 35.189.47.23
10. Skip "DNS 2" configuration and press "Connect"
11. Wait for the Captive Portal opened. If it is opened it will the proof that DNS is working! Either it means that update blocking not work for you.
12. In the Captive Portal use remote control buttons to navigate Menu -> Settings -> Fire TV -> Close Captive Portal
13. Press Back button on the remote control
14. Press Play/Pause button on selected wifi network to check network status, it should show the online status
15. Go to My Fire TV -> About -> Check for Updates and if you see "Update Error" message, it is working

While the DNS settings are there, you are safe to stay on current firmware, and no updates going to be installed in background.

To test does your ISP/router replacing DNS requests, you can use this command:
nslookup test.idns [DNS SERVER]
In result it should produce the line with 1.2.3.4 address, it means it is working fine for you.
View attachment 5528199

If you find any issues, please write them in comments.

Used the US dns sever listed here, setup my vpn to tunnel per app basis and it still updated anyways. Also most available URLs for Amazon update services have also been blacklisted on my router!
Why is this happening?

 

[Ighor]

Why is this happening?

VPN is overriding DNS settings by their own

 

[PeteyNice]

This doesn't seem to work any more. I got a new 4K Max stick and before I plugged it in I made sure your US server was setup as my router's DNS to assign to DHCP clients. It still found an update and rebooted to install it before I could unplug the router.

 

[Ighor]

This doesn't seem to work any more. I got a new 4K Max stick and before I plugged it in I made sure your US server was setup as my router's DNS to assign to DHCP clients. It still found an update and rebooted to install it before I could unplug the router.

Are you sure your ISP does not replace dns answers by their own?

 

[PeteyNice]

Are you sure your ISP does not replace dns answers by their own?

Yes, I am sure. I changed it from a pi hole I setup that I know works.

 

[Ighor]

Yes, I am sure. I changed it from a pi hole I setup that I know works.

While DNS server is local, pi hole is, ISP can't replace dns requests.
It is possible only for remote DNS servers, like mine.
What is nslookup answer of the line posted in the picture of this thread?

 

[PeteyNice]

While DNS server is local, pi hole is, ISP can't replace dns requests.
It is possible only for remote DNS servers, like mine.
What is nslookup answer of the line posted in the picture of this thread?

It worked as expected. One thing I noticed, now that it is setup, is that it is including Google DNS along with my pi hole. I wonder if it tried Google when your server failed to resolve it.

 

[Ighor]

is that it is including Google DNS

it is using random, or both at the same time, and of course in my DNS it failed, so it take DNS answer from the second DNS
To get it work, only my DNS server need to be set.
Also please don't set my DNS server to your router, but to Fire TV directly. Because to prevent domain bruteforce by scammers, I made special conditions when it works and when doesn't. And if you turn off your Fire TV for a while, my DNS will stop working next day for your IP.