A lot of devices require internet for st least one time to set them up.
How can I set them up such that as soon as I’ve programmed them/set their schedule, I can deny them access and prevent them from being chatty back with the mothership?
A lot of devices require internet for st least one time to set them up.
How can I set them up such that as soon as I’ve programmed them/set their schedule, I can deny them access and prevent them from being chatty back with the mothership?
Hopefully someone else can chime in with the specifics/confirmation because I just think I know broadly, but setting up a pihole (or sim) should let you do what you want. Essentially, most of the time the device itself isn’t going to let you block its access, so you go further up the chain to your router, and have all data coming into/going out of your network funneled through a raspberry pi. Installing the right software (which I think is pihole) should let you block unauthorized communications outside your local network. Hopefully this is a pointer in the right direction for you
This approach works sometimes, but not for a lot of IoT devices.
PiHole, Adguard Home, Technitium, and others act as DNS servers and cache. DNS is what takes a domain name like https://climate.us/ and tell your computer the actual network address of that website. In the case of climate.us it’s 2600:9000:2032:2a00:1b:a10e:7bc0:93a1 for IPv6 and 13.32.241.53 for IPv4.
Most computers are well behaved. When they contact your router, they ask it “hey, what should I use as my DNS server?”. If you’ve set up AdGuard Home in your LAN, your router would respond “192.168.2.69”, for example.
At that point, your computer would ask 192.168.2.69 all of its DNS queries.
IoT devices, on the other hand, often ignore the router when instructed to use a specific address for DNS. Google products, for example, are hard coded to 8.8.8.8. So if you’re trying to block a Google device from finding something on the internet, it gets more complicated.
DNS traffic all happens over port 53, both UDP and TCP. So to fully capture every single DNS request coming from your LAN, you need a router which is able to filter those requests and “translate” them. So the router would step in for a request to 8.8.8.8:53 and translate it to 192.168.2.69:53. Keep in mind you also have to set your router to not do this for 192.168.2.69, because then AdGuard Home will be asking itself DNS queries, which it still needs to find out on the internet.
That’s the hard part. From there, you check AdGuard Home or whatever, and see what addresses each IoT device is trying to reach.
If a WiFi connected toothbrush keeps trying to reach ‘chinesetrackingcompany.com’, then you can manually block that domain. The toothbrush will try for a bit, then give up.
Is that like LittleSnitch for home internet essentially?