I was about to release a guide on disabling OTA updates by blocking the servers with RethinkDNS when @Datastream33
released v30 of Toolbox with a new data-restricting method of blocking them. I waited a little bit to see the reaction to it and it seems that it blocks some other things too.
Without further ado, here's a preliminary guide to setting up RethinkDNS and Activity Launcher to block any DNS lookups for Amazon's update servers.
Alright, I've been testing this app for over a month and I haven't gotten any surprise "updates" just waiting for a reboot to install themselves! I haven't been turning off WiFi before rebooting, or taken any precautions to prevent updates other than just this app with the settings given here. I've only checked if there was an update waiting to install before turning my tablet off so I could delete it if I found one. My tablet has stayed on v18.104.22.168, while the most current release is 22.214.171.124. Using DNS66, I got surprised by the update from 126.96.36.199. I started watching for updates and had to delete them several times before I started using RethinkDNS. Using RethinkDNS has worked flawlessly in disabling OTA updates . The only caveate is that you can't run a "real" VPN along with RethinkDNS because it uses the VPN interface of your tablet in order to work. If you must run a VPN, you'll have to put my blocklist into your router's firewall rules so that the VPN interface of your tablet is free to run a VPN.
Turn off your tablet's WiFi and disable DNS66 or any other VPN you are running.
from the source and sideload it to your tablet. The current version is v053k. Get Activity Launcher
from UpToDown.com and sideload that to your tablet.
Install RethinkDNS. Install Activity Launcher. (You can combine steps and just stream install them from your computer if you'd like.)
Launch RethinkDNS. Tap "Apps" in the upper-left. A box will pop up saying "Start DNS and Firewall (default)". Tap "START". Another box will pop up saying "Attention!.....". Tap "Proceed". Another box will pop up saying "Connection request". Tap "OK". The app will start. Now you just need to configure it.
Tap "Apps" in the upper-left once again. Now a list of installed apps will populate the screen. There are 4 apps you want to block to prevent OTA Updates. Scroll down the list and find each of these apps and tap the blue WiFi and the blue Mobile Data icon next to each of them so they toggle to red.
- DeviceSoftwareOTA - when you block this a box will pop up saying it will also block 3 other apps. Tap "Proceed". It will repeat that warning when you block both the WiFi and Mobile Network options. When you are done, both should change from blue to red and it should say "blocked" under DeviceSoftwareOTA.
- Forced OTA - Block both WiFi and Mobile Data on this. No popup boxes this time, the inicators just change from blue to red.
- System Updates (1) - This should already be blocked from the first app. If not, repeat the proceedure and block both WiFi and Mobile Data
- System Updates (2) - Again, this should be blocked from the first app and if not repeat the blocking proceedure.
Now to check if you are configured properly, look at the top and tap the "Blocked" heading. Your dispay should now list just those 4 apps and the indicators on the right should all be red. Tap to toggle any that are still blue.
Now we need to use Activity Launcher to get to the hidden VPN settings of your tablet. Launch Activity Launcher. Let it load (it takes several seconds) and use the search glass in the upper-right. Type in "VPN" (without the quotes). At the bottom of the list under settings you'll see VPN. Tap it. Now find RethinkDNS on the list of installed VPN's and tap the gear at the right. Tap "Always-on VPN" to toggle it on. Tap "Block connections without VPN" to toggle that on. You'll get a warning screen, but acknowledge that and turn it on.
Edit: This can now also be done in Toolbox by going into Modify System Settings > Networking tab > VPN Settings if you don't want to install Activity Launcher, but Activity Launcher allows you access to other settings that Amazon hides.
Turn on your WiFi now.
Congratulations! You're all done. You should be safe from further updates.
There are other DNS changes that RethinkDNS can make. If you require them relaunch RethinkDNS and tap the DNS tab in upper-right to change DNS settings.
Your DNS lookups by default will use DoH (DNS over HTTPS). This makes it almost impossible for your DNS lookups to be redirected to a different site than what you typed into your browser. It also makes your DNS lookups unreadable by your ISP so they can't track what you do by your unencrypted DNS lookups (which happen even though your traffic may be encrypted). RethinkDNS also offers Dnscrypt, which is another method of doing the same thing. I believe DoH (the default) is most compatable and left that alone.
You can also use "filtered" DNS lookups to block offensive sites, block piracy sites, block adult sites, etc.
You can also use Cloudflare DNS, Google DNS, CleanBrowsing DNS, Quad9 DNS, or a custom DNS. If you know what you want, you can change your DNS settings here.
If you want to use additional blocklists in your DNS lookups, tap "On-device blocklists". Tap "Disabled" to enable this feature. Let it download the available blocklists. Tap "Configure". Under the "SIMPLE" tab, tap the filters you wish to use. Tap "APPLY".
You can change any other defaults if you wish. This includes all the settings in the settings menu. I left all these setting alone. I would recommend testing your internet after each change you make. If your internet stops working, go back to the defaults until you've determined that you really want to change that setting. Otherwise all the defaults will work fine for the purpose of blocking updates.
If needed, I'll post screenshots of the setup procedure.
NOTE: A reboot may be required after this procedure before you once again get internet access. (Thanks @smirnoff9969