Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[dusf]

Please note to fix Wi-Fi in the past, using a guide created by users of this forum, I have previously unbranded this router to remove the Eircom firmware and it now runs V100AAKL12C0 which was released in recent weeks.

On my new Samsung J series TV I cannot let it update from factory firmware or I will not be able to sideload apps from USB, which would restrict me to having only apps from one country installed at a time, basically it is Irish RTÉ, TG4, 3Player OR iPlayer, All4, ITVHub - not both sets. Samsung made a change in this series of television so that disabling updates from the normal and service menus does not stop updates fully, and the firmware will still update. The only way around this is to block updates at the network level.

The domains I need to block are the following:

Code: [Select]

msecnd.net
samsungotn.net
I am testing for success by attempting to block just the first domain, first on my PC, which has the hostname roadrunner and the MAC address you will see in the screenshot. I have been testing by trying to load this link in a new browser tab:

https://az833301.vo.msecnd.net/

What I have tried so far:

1. Using Security >> Parental Control.





Just in case the settins were phrased badly, I tried sliding the bar so that no access was from '00:00 - 24:00' but this made no difference. Also, I am not able to select '00:01 - 24:00', the earliest next available is '00:30 - 24:00'.



I tried with an without a network service setting configured as above. The input box for site/URL keyword would not accept the asterisk when I tried to enter *.mscend.net.

2. Using Security >> Firewall.



The IP below was in the output of ping msecnd.net yesterday, but now there is no reply, even from other devices on the network. Also, blocking by IP may be risky - if the TV is configured to look for updates by host@domain, and they change the IP, it will update.



I know it says destination IP address below, but just in case I tried entering msecnd.net and it would not accept it. It also would not let me enter a port range 1-65535, so I left it without a port setting.





Definition of the 247 scheduler rule. I experimented with changing the time from '00:00 - 00:00' to '00:00 - 23:59' but this made no difference:



3. Bogus DNS entry

In Network Setting >> DNS >> DNS Entry I selected add new DNS entry, and then entered msecnd.net as the host and the IP 10.0.0.1.

When I try to ping msecnd.net in now attempts to ping 10.0.0.1, but when I load the test website https://az833301.vo.msecnd.net/ in a new tab in Firefox it is still loading. I tried entering ipconfig /flushdns into the command prompt but this made no difference, the website still loads. I then tried entering another DNS entry as wildcard *.msecnd.net with the IP 10.0.0.2 but the router would not accept this. Instead, just in case it worked, I entered .msecnd.net 10.0.0.2. Router rebooted, PC rebooted, DNS flushed - no change, website loads fine. I read online this may only work if the router is set up as the DNS server for the PC, so in the LAN config on Windows 10 I changed DNS automatically detect to preferred to 192.168.1.1 (Router's IP) and alternate to 192.168.1.2 as I had to enter something. Everything rebooted again, DNS flushed, no change. I also read that Chrome has its own DNS settings, so it does not use the Windows set DNS - I have been testing with Firefox and IE, so unless they also have their own DNS settings this is not working.



-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

None of my attempts above to block access to the domain msecnd.net worked, although when I experimented with the ACL set to ICMP instead of TCP/UDP - it did stop ping replies from the IP before I removed it.

If it matters I have Unotelly DNS (to get around geoblocking) configured in Network Settings >> Broadband >> VDSL >> preferred and alternate. I mention this as there appears to be other places it can be entered. To be honest I wish I could just load OpenWRT, tomato, or DD-WRT firmware onto this router but as far as I am aware this is not possible.

Perhaps the domain could be blocked with a static route or some other routing settings? For instance, there are options as below. I messed around with it but it did not help. I was thinking, as I am able to create interfaces, perhaps I could attempt to route traffic from the domain out some bogus interface. Along with that I also tried routing it out the 3G (currently dongleless) interface but it still loaded the website, perhaps because it falls back to some other interface, because configured it wrong, or because here it also will not catch anything *.msecnd.net with msecnd.net as the parameter.



Please advise, am I missing something in my settings or is the config on this Zyxel just bugged or not able to block domains completely? Is there anything I can do? I really want to hook the new TV up to the network so I can stop using the Roku 3 for on demand media!

[burakkucat]

Welcome to the Kitz forum. 

I am, unfortunately, unable to help you as I have no experience of that modem/router. I am sure that someone with the knowledge will eventually make suggestions to assist you in your quest.

[dusf]

Welcome to the Kitz forum. 

I am, unfortunately, unable to help you as I have no experience of that modem/router. I am sure that someone with the knowledge will eventually make suggestions to assist you in your quest.

Hey burakkucat, and thanks! 

I fear it just may not be possible with this router.

[ejs]

I think the attempt to block *.msecnd.net by blocking an IP address (of msecnd.net) is never going to work, with any router. a.msecnd.net and b.msecnd.net could have totally different IP addresses, each unrelated to the IP address for msecnd.net (if there were one). You ought to be able to block specific IP addresses or IP address blocks though.

I Google searched for msecnd.net, apparently it's the Windows Azure Content Delivery Network, so if you did succeed in blocking all of it, you might block other things unrelated to Samsung TV firmware updates, especially if the block applied to all devices.

[dusf]

I think the attempt to block *.msecnd.net by blocking an IP address (of msecnd.net) is never going to work, with any router. a.msecnd.net and b.msecnd.net could have totally different IP addresses, each unrelated to the IP address for msecnd.net (if there were one). You ought to be able to block specific IP addresses or IP address blocks though.

I Google searched for msecnd.net, apparently it's the Windows Azure Content Delivery Network, so if you did succeed in blocking all of it, you might block other things unrelated to Samsung TV firmware updates, especially if the block applied to all devices.

Thanks for your input. Apparently with Tomato firmware and OpenWRT you can block by string, say *.mscend.net, and it works.

Would it not be risky to block the IP addresses, in case they were to change? At the moment if the Samsung TV receives one update I cannot do what I need to with it.

I would like to restrict the block to just that TV if I could, but if not I will still do it as right now it is the only way to achieve what I am after. Samygo.tv have rooted previous series models, just not this one... yet (hopefully).

Would there be a way to get an IP block, which I think by which you mean a network IP, for every host on mscend.net and samsungotn.net, and looking at the screenshots do you think it would work if I entered it into the firewall options?

It has been suggested to me if I setup a Raspberry Pi as a DNS resolver it could block all traffic to the domains, allowing everything else work.

[dusf]

If it comes to it, any recommendations on a reasonably priced fibre router to run OpenWRT, tomato, or DD-WRT? The WiFi does not have to be the latest thing, we have an extender passing the network through mains power to the back of the house, and the house recently wired with Cat 6 so I can add a few APs.

[ejs]

The blocking of *.mscend.net would have to be done by the DNS resolver. How have you determined that you need to block *.mscend.net though?

Yes, blocking individual IP addresses, or small ranges (blocks) of IP addresses would stop working if the IP addresses that the TV tries to access change. I don't think there is any sensible way to get a list of everything (either host names or IP addresses) on *.mscend.net, and the list could be very long.

Unfortunately the manual for the VMG8324-B10A doesn't clarify how the DNS route works, it doesn't seem to make any sense, how is a subnet mask supposed to apply to a domain name?

[dusf]

The blocking of *.mscend.net would have to be done by the DNS resolver. How have you determined that you need to block *.mscend.net though?

Yes, the reply from Samygo.tv when I queried if there was a list of hosts I could block instead: 'List is UNLIMITED. Also samsung can use (for example) domain: samsung.msecnd.net and ANY subdomains (a.samsung.msecnd.net, b.samsung.msecnd.net, etc.'

Yes, blocking individual IP addresses, or small ranges (blocks) of IP addresses would stop working if the IP addresses that the TV tries to access change. I don't think there is any sensible way to get a list of everything (either host names or IP addresses) on *.mscend.net, and the list could be very long.

Unfortunately the manual for the VMG8324-B10A doesn't clarify how the DNS route works, it doesn't seem to make any sense, how is a subnet mask supposed to apply to a domain name?

Welcome to hell

Get this, I have tried registering on forum.zyxel.com so I can ask about all of this, but it seems the activation email required to post is just not sending. I checked my Gmail spam and bin folders just in case but it is not there. I then set up a @mail.com address just in case it was a gmail thing but still nothing.

[jasjeet]

You could do this all with a raspberry pi I would think. All you need is dnsmasq setup as DHCP and DNS forwarder. Then all clients get the DNS IP as the Raspberry Pi. The pi then consults a host file which you can put the website you want to block and point it to 127.0.0.1. This is how I block ads on my home network with a massive hosts file, it means not even mobile devices on wifi get ads

If you want to test this, you can just do it in a virtual machine on your PC, just use Ubuntu server and make sure the virtual machine is using a bridged connection such that it is on the same ip range as your normal devices.

[dusf]

You could do this all with a raspberry pi I would think. All you need is dnsmasq setup as DHCP and DNS forwarder. Then all clients get the DNS IP as the Raspberry Pi. The pi then consults a host file which you can put the website you want to block and point it to 127.0.0.1. This is how I block ads on my home network with a massive hosts file, it means not even mobile devices on wifi get ads

If you want to test this, you can just do it in a virtual machine on your PC, just use Ubuntu server and make sure the virtual machine is using a bridged connection such that it is on the same ip range as your normal devices.

Thanks for the advice. Someone mentioned same to me recently elsewhere although they did not say anything about blocking the ads. I was actually thinking of investing in a new router, even a second hand 'new router', to run DD-WRT.

Would what you describe work with that, (including the adblocking) say running on an Asus Nighthawk X4/X6/X87 with DD-WRT? Considering the modem is supposed to be located in a home built comms cabinet (surrounded by thick concrete walls on two sides) that particular router series may be overkill - the ultimate plan is to connect APs up around the house, which I had wired with Cat6 during recent renovations.

Does your setup block ads from ITV Hub and All4? on demand players running on say Samsung TVs or Android?

[dusf]

And that post is here: http://forum.kitz.co.uk/index.php/topic,16654.0.html

[jasjeet]

I'm not sure but it blocks YouTube ads on my iPhone. So I assume if you know the addresses it can do any sort of blocking. But I'm still looking into the wildcard blocking, technically it's possible, just haven't got it to work myself yet. I don't know how it works on DD WRT, but if you run a Pi in your cabinet along with your other equipment it'll still work.

I don't even have a smart tv to test but I guess I can try the desktop sites. Will update you on that.

I added this line to dnsmasq.conf
address=/google.com/127.0.0.1

And

Code: [Select]


; <<>> DiG 9.9.5-11ubuntu1-Ubuntu <<>> a.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55031
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITION
AL: 0

;; QUESTION SECTION:
;a.google.com.                  IN      A

;; ANSWER SECTION:
a.google.com.           0       IN      A       127.0.0.1

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 28 17:23:29 PST 2015
;; MSG SIZE  rcvd: 46

root@ubuntu:/home/jas# dig abc.google.com

; <<>> DiG 9.9.5-11ubuntu1-Ubuntu <<>> abc.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1961
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;abc.google.com.                        IN      A

;; ANSWER SECTION:
abc.google.com.         0       IN      A       127.0.0.1

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 28 17:24:48 PST 2015
;; MSG SIZE  rcvd: 48


Guess that works.

[dusf]

I'm not sure but it blocks YouTube ads on my iPhone. So I assume if you know the addresses it can do any sort of blocking. But I'm still looking into the wildcard blocking, technically it's possible, just haven't got it to work myself yet. I don't know how it works on DD WRT, but if you run a Pi in your cabinet along with your other equipment it'll still work.

I don't even have a smart tv to test but I guess I can try the desktop sites. Will update you on that.

I added this line to dnsmasq.conf
address=/google.com/127.0.0.1

And

Code: [Select]


; <<>> DiG 9.9.5-11ubuntu1-Ubuntu <<>> a.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55031
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITION
AL: 0

;; QUESTION SECTION:
;a.google.com.                  IN      A

;; ANSWER SECTION:
a.google.com.           0       IN      A       127.0.0.1

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 28 17:23:29 PST 2015
;; MSG SIZE  rcvd: 46

root@ubuntu:/home/jas# dig abc.google.com

; <<>> DiG 9.9.5-11ubuntu1-Ubuntu <<>> abc.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1961
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;abc.google.com.                        IN      A

;; ANSWER SECTION:
abc.google.com.         0       IN      A       127.0.0.1

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 28 17:24:48 PST 2015
;; MSG SIZE  rcvd: 48


Guess that works.

Thanks, will reference this when I get a rpi to block ads. I had thought some of the players would stop working if they detecting any issue sending the ad through.

[jasjeet]

I'm not sure but it blocks YouTube ads on my iPhone. So I assume if you know the addresses it can do any sort of blocking. But I'm still looking into the wildcard blocking, technically it's possible, just haven't got it to work myself yet. I don't know how it works on DD WRT, but if you run a Pi in your cabinet along with your other equipment it'll still work.

I don't even have a smart tv to test but I guess I can try the desktop sites. Will update you on that.

I added this line to dnsmasq.conf
address=/google.com/127.0.0.1

And

Code: [Select]


; <<>> DiG 9.9.5-11ubuntu1-Ubuntu <<>> a.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55031
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITION
AL: 0

;; QUESTION SECTION:
;a.google.com.                  IN      A

;; ANSWER SECTION:
a.google.com.           0       IN      A       127.0.0.1

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 28 17:23:29 PST 2015
;; MSG SIZE  rcvd: 46

root@ubuntu:/home/jas# dig abc.google.com

; <<>> DiG 9.9.5-11ubuntu1-Ubuntu <<>> abc.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1961
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;abc.google.com.                        IN      A

;; ANSWER SECTION:
abc.google.com.         0       IN      A       127.0.0.1

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 28 17:24:48 PST 2015
;; MSG SIZE  rcvd: 48


Guess that works.

Thanks, will reference this when I get a rpi to block ads. I had thought some of the players would stop working if they detecting any issue sending the ad through.

If that ever became the case, just remove the entry from the hosts file.
I'll see how the itv player and 4od player works on my desktop today.

Edit
On the desktop, 4od ads were not blocked but I'm not sure if either it's possible or if my ad block list includes those targets, likely it's both of these things.