Hello there, I run several services locally on my network and need a DNS server local to my network to access them. I have a DHCP and DNS server setup to handle everything I need and this works for everything on my network except my new HD 10. The tablet will get the IP/Subnet Mask/Gateway and DNS server, but then it will add googles 8.8.8.8 as well. That'd fine and all, except that the tablet/Silk will never use my 192.168.1.1 DNS to resolve my internal servers, it just uses the google DNS. I have installed a nslookup tool and it resolves everything just fine. Next, I went in and statically set the DNS server and even added a second, which works for a few minutes, but then the tablet adds 8.8.8.8 again. The hosts it's resolving are there, every computer/tablet/phone on my network can resolve it and so can nslookup. My home DNS server can resolve whatever is needed, but this tablet is forcing stuff I don't need.
What can I do, I bought this tablet to use with things on my network (specifically) and it seems to have a mind of its own.
you might try editing the hosts file on our tablets I dunno if this will apply to us but here's a site that claims to show how to edit the hosts file on non rooted devices... This may also work in your reverse lookup zone with a manual entry for 8.8.8.8 sent to your dns server as well
https://www.techrepublic.com/article/edit-your-rooted-android-hosts-file-to-block-ad-servers/
Dunno why you're having this issue though as you mentioned DHCP is adding both yours and Google's NS and the 192 range is non routable and Google is not authoritative for that range anyways
What's your DNS/DHCP setup like? Window or Linux?
Lastly, you may also try using NAT to redirect all traffic bound for 8.8.8.8 to your DNS servers ip but this may have the added effect of any other devices on the network headed to 8.8.8.8 to return to your DNS and be unable to resolve internet addresses
You may want to do a bit of research in that regard
bladerunnernexus said:
you might try editing the hosts file on our tablets I dunno if this will apply to us but here's a site that claims to show how to edit the hosts file on non rooted devices... This may also work in your reverse lookup zone with a manual entry for 8.8.8.8 sent to your dns server as well
https://www.techrepublic.com/article/edit-your-rooted-android-hosts-file-to-block-ad-servers/
Dunno why you're having this issue though as you mentioned DHCP is adding both yours and Google's NS and the 192 range is non routable and Google is not authoritative for that range anyways
What's your DNS/DHCP setup like? Window or Linux?
Lastly, you may also try using NAT to redirect all traffic bound for 8.8.8.8 to your DNS servers ip but this may have the added effect of any other devices on the network headed to 8.8.8.8 to return to your DNS and be unable to resolve internet addresses
You may want to do a bit of research in that regard
Click to expand...
Click to collapse
Thanks, I'll try some of what you suggested. I run pfsense for my router and it has a dns resolver I use. I run some docker stuff with traefik as the reverse proxy so I need the DNS to route to stuff internally.
Dns with tls is what it wanted. I got that configured and now it works. Thanks
Noticed this as well when I added my own DNS servers for accessing work. Is there anyway to remove the 3rd DNS server entry of 8.8.8.8?
I posted this on another forum as well but I wanted to post it here for anyone who might find this. This is a hidden option in the Fire OS so I had to use ADB to turn it off. So far it appears to persist across reboots.
adb shell settings put global private_dns_mode OPTION (off was what I used) FYI no quotes just private_dns_mode off
Options are
* - opportunistic (Auto)
* - off (disabled)
There is also a "private_dns_default_mode" as well that I set to off but i'm not sure if that did anything.
jwoodard80 said:
I posted this on another forum as well but I wanted to post it here for anyone who might find this. This is a hidden option in the Fire OS so I had to use ADB to turn it off. So far it appears to persist across reboots.
adb shell settings put global private_dns_mode OPTION (off was what I used) FYI no quotes just private_dns_mode off
Options are
* - opportunistic (Auto)
* - off (disabled)
There is also a "private_dns_default_mode" as well that I set to off but i'm not sure if that did anything.
Click to expand...
Click to collapse
Oh you wonderful, wonderful person, you. This did the trick, although, it took a bit of time to make out what the exact command you were referring to was. So, to make it clearer to anybody else want to try this, it's
Code:
adb shell settings put global private_dns_mode off
Of course, the prerequisites of enabling developer options and enabling debugging as well as having a pc with adb installed and set up are assumed to be already fulfilled.
Hey guys,
I just read your posts here and treid to deactivate this pretty strange behaviour. Unfortunately, it didn't work as expected. I ran the command after enabling developer options and confirming the new connection. ADB worked without any error but still, the Fire HD10 added the 8.8.8.8 DNS server on my WiFi connection. I deactivated the connection and even deleted it to set it up again, nothing worked..
Is there anything I missed?
Thanks,
Matthias
Persistent 8.8.8.8
I also changed both parameters to OFF using adb but without any results on the FIRE 7. My guess is that they used the 8.8.8.8 DNS for their ad-based servers and as this tablet is ad-enabled (which actually makes them less expensive to buy) they wont allow changing this without rooting the device. Any suggestions ???
Well, I finally solved it on network side: I used a NAT firewall rule to ensure all traffic via port 53 (=DNS queries without encryption) goes to my internal DNS server. Of course, if the server is within your network, you'll have to add an exception for traffic to port 53 for the server.
The main qustion is if your router will support custom NAT rules.
BR,
Matthias
The adb shell settings stuff did not work for me either.
Instead of adding a nat rule I simply deny all traffic to 8.8.8.8 and 8.8.4.4. As the fires use my local dns servers as fallback everythimg now works as expected - including blocked adds in browsers.
egalus said:
The adb shell settings stuff did not work for me either.
Instead of adding a nat rule I simply deny all traffic to 8.8.8.8 and 8.8.4.4. As the fires use my local dns servers as fallback everythimg now works as expected - including blocked adds in browsers.
Click to expand...
Click to collapse
Yeah, I have taken to doing the same thing, although I'd be interested to know if anyone finds a solution rather than a workaround, as firewalling 8.8.8.8 isn't exactly elegant.
BTW: My OnePlus 6 does the same thing and adds 8.8.8.8 no matter what the DNS distributed by DHCP was - at least when DHCP only providers one DNS.
matmike said:
BTW: My OnePlus 6 does the same thing and adds 8.8.8.8 no matter what the DNS distributed by DHCP was - at least when DHCP only providers one DNS.
Click to expand...
Click to collapse
It adds 8.8.8.8 for me whether DHCP provides 1 or multiple DNS entries
So it might not be a Kindle specific topic but also affect other Android devices.
matmike said:
So it might not be a Kindle specific topic but also affect other Android devices.
Click to expand...
Click to collapse
Yeah, I found a reddit thread saying it is affecting android in general
---------- Post added at 05:43 PM ---------- Previous post was at 04:43 PM ----------
Saw someone said it doesn't add it if you pass through 3 DNS entries, but my Unifi box only seems to allow 2 (not tried overriding from command line though)
Jimsef said:
Yeah, I found a reddit thread saying it is affecting android in general
---------- Post added at 05:43 PM ---------- Previous post was at 04:43 PM ----------
Saw someone said it doesn't add it if you pass through 3 DNS entries, but my Unifi box only seems to allow 2 (not tried overriding from command line though)
Click to expand...
Click to collapse
That's interesting! I also use a UniFi network and the controller allows me to pass 4 different DNS servers via DHCP - although I only have one, I tried to put in the same address 4 times and will check if it works.
BR,
Matthias
matmike said:
That's interesting! I also use a UniFi network and the controller allows me to pass 4 different DNS servers via DHCP - although I only have one, I tried to put in the same address 4 times and will check if it works.
BR,
Matthias
Click to expand...
Click to collapse
Interesting, can you remind me where you set it, as I’m only seeing 2? Just want to check I’m looking in the right place.
Yes, sure. I'm using the UniFi controller in version 5.12.35.
The options for the DNS to-be-distributed can be found under Setting->Networks->Edit (your specific network)->DHCP-Nameserver to manual and then 4 possible entries appear. All options translated from German so it might be a bit different.
BR,
Matthias
Any solution update? fir non-unifi owners?
Related
This is a simple tutorial to allow you to connect to the internet using VPN through your home router.
:NOTE: At present, the steps here are sparse. They assume some technical capability to set things up yourself, this is just kindof a guide as to WHAT you'll need to setup.
Why, you ask? Security. Using a VPN will essentially encrypt your communications though a tunnel back to your home computer. Not going into all that here, basically a simple guide. I assume we're all smart here, so the basics.
Prerequisites
1. DD-WRT V24 Capable router. If you don't have this, then you will need to instead use a different method involving installing software on your PC that I won't cover here. The advantage of the DD-WRT router is ease of setup on the router, and not having to have your computer turned on.
2) Capable Android Phone & Provider. I can't troubleshoot your ROM or provider. Some Android Roms don't support VPN, and it's broken in some. Some providers apparently block it. If your Rom is good and your provider doesn't block it, you're golden. In some cases (such as on the G2X) custom kernels (such as Faux123's) will add the necessary TUN support. Or you may need to add a TUN.KO file if it doesn't... again, device specific, refer to appropriate device forums.
3) If you don't have a static IP (I assume you don't) you'll need a dynamic DNS provider compatible with DD-WRT. I prefer freedns.afraid.org, but you can use any o these: dyndns.org, zoneedit.com, No-Ip.com, 3322.org, easydns.com tzo.com or dynsip.org.
Got all that? Great!
Okay, here's the fun bit.
STEP 1
First, you need to hack your router. It's a LOT like rooting your Android phone. How to do it is BEYOND the scope of what I can write here, but what you need to do is visit http://www.dd-wrt.com and have a look around. Or, you can actually purchase routers with DD-WRT pre-installed. Basically you have to flash a custom ROM onto your router. It needs to support VPN, and be at least version "v24 SP1". Older versions may have a DIFFERENT VPN setup that's not as easy. Don't say I didn't warn you. I flashed the full-featured VOIP version to my router, a Buffalo WHR-G54S.
Unlocking (if necessary) and flashing your router with DD-WRT is a topic as broad as rooting/flashing Android - so I can't help you here. But once it is done, you are ready for....
STEP 2
Setup your dynamic DNS provider. I used http://freedns.afraid.org/ to do this. Basically you go to the site and sign up for the free "subdomain" services. You can pick a name that will be on a number of different domains, such as "us.to", where you could maybe pick something like "kick.us.to" if it isn't taken yet. All that matters is you remember the name.
Next, in DD-WRT, go to the Setup->DDNS tab and select the proper DDNS service and enter the information it asks for -- your service used, username, password and hostname usually. You can usually leave update interval at the default, and normally you don't need to use external IP check.
NOTE: You need to make sure you are not "Double NAT-ed".. this means two routers stacked is a nono. If you have a router connected to a cable/dsl router (instead of a cable/dsl modem), then it needs to be set to BRIDGE mode. Again.. complicated and really a topic best dealt with on its own.
Once you've setup your Dynamic DNS, you're well on your way. You can actually use that hostname for all sorts of things, such as always being able to get Audiogalaxy to connect to the right host without having to know a numeric IP that could change.
STEP 3
You're on a roll... Now, time to setup the VPN in the router. This is done under the Services->VPN tab. If that tab doesn't exist, then you got the wrong version of DD-WRT and need to go back to Step 1.
Enable PPTP Server, Broadcast Support, MPPE Encryption. Under Server IP enter your ROUTER's IP address (usually 192.168.1.1, or whatever you use to connect to your router). Under Client IP's, enter the range of clients on your local network in the format: 192.168.1.100-149 (where 100-149 represents possible IP addresses I've set in DD-WRT for my LAN)... this doesn't seem as important since we'll be connecting from outside.. Just do it.
Under CHAP-Secrets enter in your preferred username and password in the format:
username * password *
that is, the username, a space, *, a space, the password, a space and then *
Save and apply settings. (You need to click both SAVE and APPLY, DD-WRT is weird like this)
STEP 4
Back to Android! Yay! This part of the procedure may vary by phone, but this is how it is on my Gingerbread T-Mobile G2X with faux123's kernel.
Goto Settings->Wireless & Networks->VPN Settings->Add VPN->Add PPTP VPN
VPN Name=whatever you want
VPN server= your dynamic IP name you selected in Step 2
Enable encryption = Yes
now, hit Menu->Save
You should now see your VPN listed under VPNs. Click on it, and select CONNECT. Type in your username and password you selected at the end of Step 3.
It should connect. CONGRATULATIONS!
You should also have a notification in your taskbar that will now let you disconnect from the VPN.
STEP 5
Enjoy! .. wait, what? It didn't work? It did for me!!!
I guess.... ask questions here, or if it appears to be a phone issue, ask in your device's appropriate forum (and link to this thread so people know what guide you're following)
And, if anybody reading this is a better expert in setting this stuff up than I am, feel free to critique/laugh/criticize/constructively comment on this little howto and I'll correct anything I Rick Perry'd.
Nice tutorial! Would have been better if you also included more details in hacking our router
DroidVPN said:
Nice tutorial! Would have been better if you also included more details in hacking our router
Click to expand...
Click to collapse
I would have, but like I said, that's a topic as big as phone hacking itself. Every model of router is going to be different! There may be models that support VPN in the router as well without DD-WRT, but I'm not familiar with that setup.
DD-WRT's website has a pretty huge forum on what routers are compatible and how to set it all up.
The optimal speed can be achieved by the compression of traffic and by minimizing server loads. Web acceleration will enable you bring about a drastic improvement in the web page response time. This kind of acceleration usually come in lesser costs and offers the best web application performance.
So Wat does this do? Keeps u secured from the eyes of the ISP?.. harder for others to hack u?...
Sent from my HTC Desire using xda premium
evilgenius00 said:
So Wat does this do? Keeps u secured from the eyes of the ISP?.. harder for others to hack u?...
Sent from my HTC Desire using xda premium
Click to expand...
Click to collapse
lotherius said:
Security. Using a VPN will essentially encrypt your communications though a tunnel back to your home computer.
Click to expand...
Click to collapse
Yeah, that.
...
10char.
Nice TUT, VPN working
Thanks. I mostly appreciated the idea of using afraid.org.
For some reason, Dyndns and no-ip wouldn't work with ICS as client.
thanks for this tut, keep it up
nice.. thanks for sharing
The cool thing is, once you start hacking your router, you open up all sorts of fun. Like using a virtual wireless network to bridge the open wifi network that gets 1 bar of signal in one little corner of your apartment to be a full strength WPA protected network with your own SSID and subnet that all of your devices can use ... not like I would do such a thing. Now, I *am* a bit afraid to try to set up a VPN on the bridged virtual network..... that could get complicated.
Will this also work with OpenDNS?
Already running DDWRT v24 on WRT600N, and trying to figure this VPN stuff to connect my Atrix running CM10. Thanks for any help
katinatez said:
Will this also work with OpenDNS?
Already running DDWRT v24 on WRT600N, and trying to figure this VPN stuff to connect my Atrix running CM10. Thanks for any help
Click to expand...
Click to collapse
Any service which gives you a stable hostname to the outside network should work.
If you have a higher end router that supports the mega builds (8MB flash), then you can opt for OpenVPN which is more secure than PPTP. Setup is more complicated though.
australix said:
If you have a higher end router that supports the mega builds (8MB flash), then you can opt for OpenVPN which is more secure than PPTP. Setup is more complicated though.
Click to expand...
Click to collapse
Still using a (now antiquated) Buffalo WHR-G54S which has 4MB flash and 16MB Ram... so while it has a lot of features, OpenVPN is lacking... so I can't test that method personally.
This Buffalo is the best router I've ever owned, though. I still can do without gigabit or N networking, so I'm not upgrading. I went through 5 or 6 bad routers (even a Linksys WRT-54G that crashed constantly) before I got this one.
Thanks for all the info here. I've deleted the post because I think my issue is with something else.
Thanks..
p
very...helpfull..!!!
Very easy guide! Thanks!
455
nice cool...
bumpin this because i have a question regarding this, i just set this up and it works great
there are mainly two types of auth vpn servers use, certificate authentication and username/password
i tried to set up password one, and you still need the server public certificate along with username/password, but you don't need client public and private keys unlike with cert auth.
now, i placed the server key, ca.crt, on my internal storage and together with username/password, works great, my concern is security of this file. this file needs to be accessible right, so you can't put it in /etc or /system, having it in internal storage, any app with storage permission can read it... isn't this a security risk? how is this solved? where do i put the file?
thanks
edit: also, how do i *prevent* network traffic without vpn? i know there is always on option and start on boot, but i did, and when the boot finnishes there is a brief moment when the phone connects on mobile network just before initializing vpn and in that brief moment android probably sends all sorts of passwords and data through the network ... how do i delay this until vpn is initialized?
Hi,
Just got my Nexus Player, very sad to find Play Store was limited to regional apps, requesting anyone who has a Nexus Player to upload the leanback Neflix APK.
I will love ya forever!
(Not sure about rules on this) - but willing to donate etc. just really desperate for the APK)...
Regards -hasamoder
EDIT: Thanks to XDA Member "Elrondolio" the APK has been pulled and can be manually installed -
http://forum.xda-developers.com/showpost.php?p=56995564&postcount=23
All Good Now!
Hey,
does this APK mean you will get the US Netflix selection? I am trying to find a solution to this... in Canada, so get Canadian content. I have s subscription to blockless, but am unable to set the DNS settings on the device itself. Apparently the Nexus devices have the google DNS servers baked in.
psxp said:
Hey,
does this APK mean you will get the US Netflix selection? I am trying to find a solution to this... in Canada, so get Canadian content. I have s subscription to blockless, but am unable to set the DNS settings on the device itself. Apparently the Nexus devices have the google DNS servers baked in.
Click to expand...
Click to collapse
Yes they do have the DNS baked in, same with the Chromecast as well, it is offered as the Google DNS servers often offer faster resolving than ISP DNS's do. It is a shame however they do not offer an easy setting to change the DNS. In your case the Netflix APK is not useful, the APK is the same offered through the Canadian Play Store - I only wanted it as Australia has no Netflix at all.
In terms of switching your DNS to a DNS unblocking service you have two options-
1. Root you Nexus Player and Manually change the reference to the DNS.
This method would require you to root your nexus player and install a file browser capable of modifying the system partition.Then simply modify the reference to the DNS and switch it to you're own unblocking service. A big negative to this method however is that every time you upgrade you're Nexus Player it will switch back to the old DNS and thus is not recommended.
2. Add alternative DNS Routing on you Router
This method would require you to add a setting to your router which would push all requests to 8.8.8.8 to an alternative DNS. Here are the instructions: You need a router that either supports DD-WRT, OpenWrt, Tomato or Open Linux Firmware, otherwise this will not be possible. I'll omit the precise menus you have to go to in either of the interfaces; however what you want to do is change the iptables to route elsewhere (in commands it looks like this)-
iptables -t nat -A PREROUTING -d 8.8.8.8 -j DNAT --to-destination x.x.x.x
iptables -t nat -A PREROUTING -d 8.8.4.4 -j DNAT --to-destination x.x.x.x
If you are uncomfortable with these options, I am sorry to say you will have to live with Canadian Netflix. If you need more detail on either of these options, let me know and I'll be happy to help out...
EDIT : Turns out the DNS is changeable look here - http://forum.xda-developers.com/nexus-player/general/how-to-change-dns-ip-t2953282 and end of Page 1 of this Thread.
hasamoder said:
1. Root you Nexus Player and Manually change the reference to the DNS.
This method would require you to root your nexus player and install a file browser capable of modifying the system partition.Then simply modify the reference to the DNS and switch it to you're own unblocking service. A big negative to this method however is that every time you upgrade you're Nexus Player it will switch back to the old DNS and thus is not recommended.
Click to expand...
Click to collapse
I'd love more info on this option. I did some quick searching and I see people mentioning it but no one explaining what needs to be done. I'm fairly confident in my abilities to modify files and really just need to know what I need to edit.
hasamoder said:
In terms of switching your DNS to a DNS unblocking service you have two options-
Click to expand...
Click to collapse
Great information. There is also a third, simpler option. In your router's WAN section, if you change the DNS from automatic to manual you can put in your unblocking service's DNS instead of it automatically grabbing your ISPs. Almost all routers have that simple option. For a Chromecast, this wouldn't work at you'd indeed need to also add the iptables static routing since the DNS is hard coded, as stated, on the Chromecast. The way the Chromecast works, using an internal hidden Chrome browser to display all cast content puts DNS in Google's control. However, DNS isn't hard coded in Netflix or most any other standalone app outside of Google's on the Nexus Player, so a simple DNS change will work for Hulu, Netflix, etc. on the NP.
I'd still recommend getting a router with customizable firmware, however, as in addition to using iptables static routing you can also use dnsmasq to route only specific web sites through your unblocking DNS service and leave the rest to your standard ISP's DNS service (or any other DNS service you'd choose). For privacy reasons, this'd be the ultimate solution but all of the above work as well.
As a final aside, you can actually change the DNS service on the Nexus Player pretty easily by choosing a static IP in it's Wifi section... unfortunately this somehow interferes with Netflix and makes it inoperable. Strange, but needs more eye's on the issues to find a solution. The option is there, however, and easy to access.
---------- Post added at 09:06 AM ---------- Previous post was at 08:58 AM ----------
LecheConCarnie said:
I'd love more info on this option. I did some quick searching and I see people mentioning it but no one explaining what needs to be done. I'm fairly confident in my abilities to modify files and really just need to know what I need to edit.
Click to expand...
Click to collapse
Hit your router's configuration page (192.168.1.1 or 0.1 or whatever yours is) and change it's WAN or internet setup to define which DNS server it uses - it usually gets your ISP's DNS automatically. You'll of course need AdFreeTime, UnblockUS, etc service to put in the correct DNS entries, but it should be pretty straight forward. Here in Canada, at least, that's more than enough to get Netflix, Hulu, Pandora, etc working on the NP.
Just be aware that doing this means any and all internet traffic on every device that connects through your router will be routed through your unblocking service's DNS servers so be comfortable with the outfit you use as it'd be trivial for them to direct you to phishing sites for banking, etc or to sniff your communications. Most people don't worry about these things, but more probably should.
@Elrondolio, changing the router config doesn't work since the values are hardcoded on the device like the Chromecast is. I'm already well aware of using a service similar to AdFreeTime. I think that a file needs to change on the NP, but I'm not sure what. That is what @hasamoder is referring to.
LecheConCarnie said:
@Elrondolio, changing the router config doesn't work since the values are hardcoded on the device like the Chromecast is. I'm already well aware of using a service similar to AdFreeTime. I think that a file needs to change on the NP, but I'm not sure what. That is what @hasamoder is referring to.
Click to expand...
Click to collapse
The only hard coded DNS use on the Nexus Player is for Googles apps (play store, etc). I'm not sure why it's not working for you, but changing the DNS at the router works just fine here for Netflix, Hulu, Pandora, etc. What is the issue when you try it?
psxp said:
Hey,
does this APK mean you will get the US Netflix selection? I am trying to find a solution to this... in Canada, so get Canadian content. I have s subscription to blockless, but am unable to set the DNS settings on the device itself. Apparently the Nexus devices have the google DNS servers baked in.
Click to expand...
Click to collapse
RE DNS settings:
The DNS servers are not hard coded in. Via the network settings, I was able to assign a static IP, gateway, and a DNS IP. I had to do it a couple of times. Even though it said settings were saved, the connection didn't change from DNS to STATIC.
I gave up. But then then the next day I noticed the connection kicked over to STATIC and Netflix region switched over to US EN.
hasamoder said:
Yes they do have the DNS baked in, same with the Chromecast as well, it is offered as the Google DNS servers often offer faster resolving than ISP DNS's do. It is a shame however they do not offer an easy setting to change the DNS. In your case the Netflix APK is not useful, the APK is the same offered through the Canadian Play Store - I only wanted it as Australia has no Netflix at all.
In terms of switching your DNS to a DNS unblocking service you have two options-
1. Root you Nexus Player and Manually change the reference to the DNS.
This method would require you to root your nexus player and install a file browser capable of modifying the system partition.Then simply modify the reference to the DNS and switch it to you're own unblocking service. A big negative to this method however is that every time you upgrade you're Nexus Player it will switch back to the old DNS and thus is not recommended.
2. Add alternative DNS Routing on you Router
This method would require you to add a setting to your router which would push all requests to 8.8.8.8 to an alternative DNS. Here are the instructions: You need a router that either supports DD-WRT, OpenWrt, Tomato or Open Linux Firmware, otherwise this will not be possible. I'll omit the precise menus you have to go to in either of the interfaces; however what you want to do is change the iptables to route elsewhere (in commands it looks like this)-
iptables -t nat -A PREROUTING -d 8.8.8.8 -j DNAT --to-destination x.x.x.x
iptables -t nat -A PREROUTING -d 8.8.4.4 -j DNAT --to-destination x.x.x.x
If you are uncomfortable with these options, I am sorry to say you will have to live with Canadian Netflix. If you need more detail on either of these options, let me know and I'll be happy to help out...
Click to expand...
Click to collapse
Thank you so much for this information. This is exactly what I've been looking for !
Most answers I see on comments sections on websites/blogs have been "just root it" or similar. Thank you so much for the detailed answer.
So, I looked at option 2 and I do indeed have a Router that OpenWrt supports.. the TP-Link Archer C7 but mine is version v1 firmware so I dont get any support of the 5GHZ frequency. I'm willing to get a new v2 router if need be.. but the other thing is that these new firmwares are all command line based right? The front end isnt like using the nice web based front end on the Tp-link?
Option 1 might have to be the one for now. Here's my situtation.
I have a blockless DNS so I can use Netflix US. I also would like to run XBMC and Plex along with youTube. Thats the main requirements.
I have a Apple TV 2 jailbroken and running netflix US on it, with XBMC, and youtube. I havent installed the PlexConnect hack yet.. maybe I should give it a go. The thing was AppleTV 2 is only 720p and Nexus Player is 1080p and seems more responsive (faster etc) than the aging Apple TV.
If you had more details on what to do for option 1, that would be handy. I would then just avoid updating the Nexus Player unless I had to. I would then have to install the apss (ES Explorer, XBMC + plug in scripts, Chainfire launcher) each time.
The other crazy Idea I had was to use a cheap tablet with HDMI out as a Netflix media player .. but thats starting to get "clunky". I would like a "smoother" solution.
---------- Post added at 02:46 PM ---------- Previous post was at 02:41 PM ----------
Elrondolio said:
The only hard coded DNS use on the Nexus Player is for Googles apps (play store, etc). I'm not sure why it's not working for you, but changing the DNS at the router works just fine here for Netflix, Hulu, Pandora, etc. What is the issue when you try it?
Click to expand...
Click to collapse
Hi,
so you just changed your router DNS to user Blockless, unlock-us etc DNS? With the cavet that ALL traffic is now routed to the DNS service?
And Netflix shows Netflix US content? But now Chromecast will break?
---------- Post added at 02:51 PM ---------- Previous post was at 02:46 PM ----------
habskilla said:
RE DNS settings:
The DNS servers are not hard coded in. Via the network settings, I was able to assign a static IP, gateway, and a DNS IP. I had to do it a couple of times. Even though it said settings were saved, the connection didn't change from DNS to STATIC.
I gave up. But then then the next day I noticed the connection kicked over to STATIC and Netflix region switched over to US EN.
Click to expand...
Click to collapse
really? I didnt see any settings there for assigning IP address/DNS??!.. I'll try again tonight.
What settings/service are you using?
I assume you gave the Nexus player a static IP on your network, then gateway is IP of router? then DNS IP is IP of the DNS service?
psxp said:
really? I didnt see any settings there for assigning IP address/DNS??!.. I'll try again tonight.
What settings/service are you using?
I assume you gave the Nexus player a static IP on your network, then gateway is IP of router? then DNS IP is IP of the DNS service?
Click to expand...
Click to collapse
Took some crummy pics:
Home -> WIFI connection:
image (1).jpg
Device Network -> Wi-Fi Connected
image (2).jpg
Network Wi-Fi -> {select your active connection} In my case it is Leafs RULE!!_5G
image (3).jpg
Select Advanced options
image (4).jpg
Then select IP settings. In your case it'll say IP settings DNS. In my pic it says IP settings Static.
image (5).jpg
IP settings -> STATIC
image (6).jpg
Go through the IP settings and enter in a static IP, gateway, and DNS settings. Press save and then hope it saves.
You know it saved properly when IP settings DNS changes to IP settings Static. In my case, it didn't pick up the new settings till the next day. Maybe after you save your settings, power cycle NP; go back into settings and see if it changed over to static.
I didn't change or add anything to my router. My router is still using my ISP DNS IPs.
hth
habskilla said:
Go through the IP settings and enter in a static IP, gateway, and DNS settings. Press save and then hope it saves.
You know it saved properly when IP settings DNS changes to IP settings Static. In my case, it didn't pick up the new settings till the next day. Maybe after you save your settings, power cycle NP; go back into settings and see if it changed over to static.
I didn't change or add anything to my router. My router is still using my ISP DNS IPs.
hth
Click to expand...
Click to collapse
THANKS!! Dunno how I missed that.
Anyway, just changed it... and exited screens. Powered off and on.. and shows as STATIC but netflix gives an error and not internet data coming ie. no Recommendations..
will double check settings..
---------- Post added at 06:48 PM ---------- Previous post was at 06:42 PM ----------
just a quick reply.. seems the settings screens have bugs.. some settings for gateway and IP are showing up on incorrect screens,
gone through slowly again with the NP remote this time. (Last time I used Android App remote on my phone)..
My apologies, I thought there were no DNS settings from my brief search - looks like it is changable - Good Find habskilla.
Hope this solution works out for everybody
Awesome!! thanks!!
Okay! We're cooking with gas now!!
Just checked my settings, fixed them (see previous post) and the NP booted up and got internet data. Netflix opened ok and I just looked for a US only selection (I used this website : http://netflixcanadavsusa.blogspot.com/2014/11/alphabetical-list-j-sun-nov-23-2014.html#more )
and hooray its working!!!
Nice. !
Maybe one day there will be an app or something to make the setting change like a toggle. - ie. turn back to Canadian content.. but I can live with this as I start playing around with Nexus/Android and Root etc .
Actually, I can just switch the target country on my Blockless subscription if I dont want to change the NP. My preference is to have the DNS set on a per device setting rather than my whole network.
just been testing (we use netflix mainly for kids shows) so I picked "The 100". Wouldnt play.. then I realised that's actually Canadian only content.. so Netflix still caches recommendations or other data. lol!
thanks so much habskilla. I appreciate you posting here. (maybe I should have started a new thread) . Also I'm glad I refrained in making any jokes about the Maple Leafs too
(I dont follow hockey anyway - lol)
cheers!
BTW - if anyone's interested I am using Blockless to connect to US Netflix. You can use that it to connect to many other Netflix regions like UK, Canada etc.
Here is my referal link (hope thats allowed here? ) Blockless
I'm glad it's working for you.
I still get an occasional cannot load Netflix error, but then again I get those sometimes with my other devices.
I created a new post in Nexus Player General so it's visible to everyone and not just buried here.
habskilla said:
I'm glad it's working for you.
I still get an occasional cannot load Netflix error, but then again I get those sometimes with my other devices.
I created a new post in Nexus Player General so it's visible to everyone and not just buried here.
Click to expand...
Click to collapse
Your could not load could be because you accessed Netflix as a "Canadian account" . Later when tyring to show you titles it remembers - perhaps cache's your choices and will still show you them even if you are in your "US account" . When you play the content you get blocked. I have seen this happen for me ie. "The 100" is Canadian only content but I see it on my "US Account". See the link to the website I posted earlier that shows US vs Canadian content.
cheers
With chromecast anyone could cast netflix to the available TV. It doesn't work that way with the nexus player, it requires each person to log into the Nexus Player instead of just using their account. I have this problem also with different profiles on the same netflix account.
The account and profile on the casting device should match the one on the nexus player.
Hello everyone,
So I've been doing some work on my A1. Managed to root it via Magisk and something strange happened after that, though now i don't even know if it's related to root or the newest software update. But here is what I've found.
I have a home DNS server with some local network DNS entries.
I also have a DHCP which is providing home DNS server IP along together with 8.8.8.8 as secondary DNS to DHCP clients.
On my phone, i have set a static IP address but pointed DNS servers, as first server to be my home server and secondary to be 8.8.8.8 (as if i were to get these settings via DHCP).
All works well. I am able to get to my devices by looking them up like "pc.lan" or "printer.lan" ... In the first 5 minutes OR LESS!
After that SHORT period expires, my phone no longer queries my local DNS. I couldn't see which server is he trying to reach, i was afraid that i have rooted my phone badly and somehow installed malware onto it which is overwriting my DNS settings.
TBH i even checked /etc/resolv.conf and noticed that i do not have my entries there, but onle 8.8.8.8 and 8.8.4.4. Even after editing that file i still have no luck (maybe it's not reading that file).
So I've done little snooping and sniffing. Moved PCAP file to PC and looked it up in wireshark and there i saw something interesting!
Basically, he was querying google's 8.8.8.8 over port 853 (TLS) and completely ignoring my entry.
When i removed 8.8.8.8 as secondary DNS from my static entries, all worked fine, i was able to query my local DNS just fine!
So my question is. Is anyone aware of anything new regarding DNS queries? Maybe android is now forcing encrypted DNS traffic when available ?
EDIT:
Just for the record. I am using Android 9 with V10.0.5.0 build number (as earlier mentioned, Xiaomi Mi A1)
Here is instructions of how to block Updates on a Fire TV.
Important!
Recently a Fire TV update released, it blocks any way to disable auto updates, except this one
Some ISP are replacing client DNS requests by their own answers, in that case this method won't work.
DNS configuration saved per access point, if you connect to another Wi-Fi you need to enter the DNS again.
If you connect a VPN, DNS settings will be ignored, so you can use VPN only if it works per app and not system wide.
No PC needed
Step by step instruction
Go to your Fire TV Network settings and remove all networks except one you going to use. (Menu -> OK)
While connected to the Wi-Fi network you use, go to My Fire TV -> About -> Network and save "IP Address", "Gateway", "Subnet Mask" somewhere, or take a picture
Go to Network settings and remove your Wi-Fi connection
Start connecting to your Wi-Fi access point again, enter password but don't press Next
Press "Advanced" button at the bottom center
Enter the IP Address saved in the 2. step and press Next
Enter the Gateway address saved in the 2. step and press Next
Enter Network Prefix Length, get it from this page using "Subnet Mask" saved in the step 2. and press Next
Enter DNS address, pick up nearest one from the list below, and press Next
USA: 104.154.51.7
Europe: 104.155.28.90
Asia: 104.155.220.58
South America: 35.199.88.219
Australia and Oceania: 35.189.47.23
Skip "DNS 2" configuration and press "Connect"
Wait for the Captive Portal opened. If it is opened it will the proof that DNS is working! Either it means that update blocking not work for you.
In the Captive Portal use remote control buttons to navigate Menu -> Settings -> Fire TV -> Close Captive Portal
Press Back button on the remote control
Press Play/Pause button on selected wifi network to check network status, it should show the online status
Go to My Fire TV -> About -> Check for Updates and if you see "Update Error" message, it is working
While the DNS settings are there, you are safe to stay on current firmware, and no updates going to be installed in background.
To test does your ISP/router replacing DNS requests, you can use this command:
nslookup test.idns [DNS SERVER]
In result it should produce the line with 1.2.3.4 address, it means it is working fine for you.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
If you find any issues, please write them in comments.
--------
Disable OTA if you have a root rights, no DNS needed, run as root in shell:
Code:
mount -o rw,remount /system
echo -e '\n0.0.0.0 softwareupdates.amazon.com' > /etc/hosts
Great, thank you.
I'd like to give this a try later.. Excited for it to work. Can you please proofread #11 and clarify, mostly the 2nd half? Seems a critical point in the process.
@Ighor Thanks.
Who's DNS servers are these?
I'm assuming that Amazon update servers have been blocked from these DNS servers, I'm just wondering who's managing them?
Alternatively, you can block updates through your router. Blocking updates on the FireTV itself is best and easiest, second best option is via your router, and last resort is DNS.
An old walkthrough that talks about all the ways of blocking updates and the benefits of each
How to block software updates on the Amazon Fire TV or Fire TV Stick
All versions of the Amazon Fire TV will download and install software updates automatically. There is no option to disable or reject software updates. Whether you have a rooted Fire TV or not, this guide will show you all the methods for blocking software updates on Fire TV devices.
www.aftvnews.com
Finnzz said:
Who's DNS servers are these?
Click to expand...
Click to collapse
It is my servers, running since 2014 for different purposes. Since my DNS engine is very flexible I can create a rules to provide different features for different devices. So Fire TV support is now added.
For example in Open DNS you can't create rules for *amazon*updates*, but my server has those possibilities, it catching regional and any possible new domains also.
Ighor said:
It is my servers, running since 2014 for different purposes. Since my DNS engine is very flexible I can create a rules to provide different features for different devices. So Fire TV support is now added.
For example in Open DNS you can't create rules for *amazon*updates*, but my server has those possibilities, it catching regional and any possible new domains also.
Click to expand...
Click to collapse
Ok, yeah I figured someone needed to be managing the Amazon addresses The more options the better.
Why do you have different servers for different regions? Are your servers physically looking located in different parts of the world?
Are your servers going to be able to handle thousands of FireTV devices?
Finnzz said:
Are your servers physically looking located in different parts of the world?
Click to expand...
Click to collapse
Yes. So you get lower ping if you choose nearest one.
Finnzz said:
Are your servers going to be able to handle thousands of FireTV devices?
Click to expand...
Click to collapse
It handles millions of requests every day with 2% CPU usage, so answer is yes.
Ok thank you!
I have to say I have one big concern. Using the DNS servers of a private individual that you don't know is a bit of a security risk, and can be used in malicious ways.
What Is DNS, and Should I Use Another DNS Server?
However, if your computer or network is pointed at a malicious DNS server set up by a scammer, the malicious DNS server could respond with a different IP address entirely. In this way, it’s possible that you could see “facebook.com” in your browser’s address bar, but you may not actually be at the real facebook.com. Behind the scenes, the malicious DNS server has pointed you to a different IP address.
Click to expand...
Click to collapse
I appreciate the gesture you are making to help everyone out, but I'm also wondering how the average user can determine if the DNS servers are trustworthy?
I don't mean to offend you, but being cautious is always best when it comes to security.
It's similar to recommending that you only install apps from trusted sources, and only give ADB access to very trusted sources.
When a stranger offers you a ride home you take a greater risk than if you use public transportation lol
Finnzz said:
Using the DNS servers of a private individual that you don't know is a bit of a security risk, and can be used in malicious ways.
Click to expand...
Click to collapse
Finnzz said:
I'm also wondering how the average user can determine if the DNS servers are trustworthy?
Click to expand...
Click to collapse
That is fair thing to worry about if you are using unknown DNS on your PC. Since the risk is in you, when you enter the website, you may not notice that you are forgot to add https:// but using http://, or you may mistakenly agree to trust unknown certificate if prompted. In that case someone can see your traffic.
But if you use that with the device, there is no choice, it always uses https:// so if someone will try to catch your traffic, they will fail with ssl errors. So technically you don't have to trust a DNS server or a VPN if you are entering that to your Android/iOS device (and not using Internet browsers).
Anyway if anyone replaces DNS records by malicious IP address, at least some users can notice the certificate warnings and report them. In another cases websites may notify you about unusual logins, from another countries (if someone have catch your unencrypted traffic). I never did anything like that so you won't find any reports about my DNS servers.
Ighor said:
Anyway if anyone replaces DNS records by malicious IP address, at least some users can notice the certificate warnings and report them. I never did anything like that so you won't be able to find any reports about my DNS servers.
Click to expand...
Click to collapse
Yeah sorry, I hate to bring it up. I think everyone knows they take a risk when installing new apps, but far less know the potential of a malicious DNS server. I don't like asking the questions, because just the question insinuates something negative. Nothing against you personally.
Thank you for sharing your DNS. Hopefully you can save a few FireTV users on your arc before the next update that really does some damage.
Ighor said:
Here is instructions of how to block Updates on a Fire TV...
Click to expand...
Click to collapse
Finnzz said:
@Ighor...Alternatively, you can block updates through your router. Blocking updates on the FireTV itself is best and easiest, second best option is via your router, and last resort is DNS.
An old walkthrough that talks about all the ways of blocking updates and the benefits of each
How to block software updates on the Amazon Fire TV or Fire TV Stick
All versions of the Amazon Fire TV will download and install software updates automatically. There is no option to disable or reject software updates. Whether you have a rooted Fire TV or not, this guide will show you all the methods for blocking software updates on Fire TV devices.
www.aftvnews.com
Click to expand...
Click to collapse
Finnzz said:
Ok thank you!
I have to say I have one big concern. Using the DNS servers of a private individual that you don't know is a bit of a security risk, and can be used in malicious ways...
...I appreciate the gesture you are making to help everyone out, but I'm also wondering how the average user can determine if the DNS servers are trustworthy?
I don't mean to offend you, but being cautious is always best when it comes to security...
Click to expand...
Click to collapse
Finnzz said:
...I hate to bring it up. I think everyone knows they take a risk when installing new apps, but far less know the potential of a malicious DNS server. I don't like asking the questions, because just the question insinuates something negative. Nothing against you personally...
Click to expand...
Click to collapse
I certainly appreciate the GENEROSITY of a "Technologically Competent" person offering their services to "Technologically Incompetent" folks, but *WHY* would someone TRUST a stranger to block specific DNS addresses when they could:
Block them locally on THEIR OWN router?
Block them locally on THEIR OWN DHCP server (I use Pi-Hole on a Raspberry Pi 3B)?
Block them with (well-known, established) OpenDNS (Method 4 on the AFTVNews article, as per the LINK posted by @Finnzz )?
TBD...
TakeTheActive said:
I certainly appreciate the GENEROSITY of a "Technologically Competent" person offering their services
Click to expand...
Click to collapse
Yeah, really nice
TakeTheActive said:
but *WHY* would someone TRUST a stranger to block specific DNS addresses when they could:
Block them locally on THEIR OWN router?
Block them locally on THEIR OWN DHCP server (I use Pi-Hole on a Raspberry Pi 3B)?
Block them with (well-known, established) OpenDNS (Method 4 on the AFTVNews article, as per the LINK posted by @Finnzz )?
TBD...
Click to expand...
Click to collapse
If you set up a local proxy server with a program like charles proxy or mitm, you can see all the traffic the fireTV generates on your PC... you see all the data, in listings, well ordered by process.
Almost all of this traffic and data is useless crap, since almost all of this stuff is encrypted.
Only thing readable is advertising sh*t and some meta statistics.
Anyways, a DNS server wont sniff any of this data, it gets only DNS requests, so it will most likely be perfectly fine and a very convenient method for users (users without a pi-hole or a capable router, capable to block encrypted DNS requests).
Btw, it's also a working and very common method to block updates on homebrewed PS4 and nintendo switch devices
Ighor said:
Here is instructions of how to block Updates on a Fire TV.
Important!
Recently a Fire TV update released, it blocks any way to disable auto updates, except this one
Some ISP are replacing client DNS requests by their own answers, in that case this method won't work.
DNS configuration saved per access point, if you connect to another Wi-Fi you need to enter the DNS again.
If you connect a VPN, DNS settings will be ignored, so you can use VPN only if it works per app and not system wide.
No PC needed
Step by step instruction
Go to your Fire TV Network settings and remove all networks except one you going to use. (Menu -> OK)
While connected to the Wi-Fi network you use, go to My Fire TV -> About -> Network and save "IP Address", "Gateway", "Subnet Mask" somewhere, or take a picture
Go to Network settings and remove your Wi-Fi connection
Start connecting to your Wi-Fi access point again, enter password but don't press Next
Press "Advanced" button at the bottom center
Enter the IP Address saved in the 2. step and press Next
Enter the Gateway address saved in the 2. step and press Next
Enter Network Prefix Length, get it from this page using "Subnet Mask" saved in the step 2. and press Next
Enter DNS address, pick up nearest one from the list below, and press Next
USA: 104.154.51.7
Europe: 104.155.28.90
Asia: 104.155.220.58
South America: 35.199.88.219
Australia and Oceania: 35.189.47.23
Skip "DNS 2" configuration and press "Connect"
Wait for the Captive Portal opened. If it is opened it will the proof that DNS is working! Either it means that update blocking not work for you.
In the Captive Portal use remote control buttons to navigate Menu -> Settings -> Fire TV -> Close Captive Portal
Press Back button on the remote control
Press Play/Pause button on selected wifi network to check network status, it should show the online status
Go to My Fire TV -> About -> Check for Updates and if you see "Update Error" message, it is working
While the DNS settings are there, you are safe to stay on current firmware, and no updates going to be installed in background.
To test does your ISP/router replacing DNS requests, you can use this command:
nslookup test.idns [DNS SERVER]
In result it should produce the line with 1.2.3.4 address, it means it is working fine for you.
View attachment 5528199
If you find any issues, please write them in comments.
Click to expand...
Click to collapse
Used the US dns sever listed here, setup my vpn to tunnel per app basis and it still updated anyways. Also most available URLs for Amazon update services have also been blacklisted on my router!
Why is this happening?
ruky23 said:
Why is this happening?
Click to expand...
Click to collapse
VPN is overriding DNS settings by their own
This doesn't seem to work any more. I got a new 4K Max stick and before I plugged it in I made sure your US server was setup as my router's DNS to assign to DHCP clients. It still found an update and rebooted to install it before I could unplug the router.
PeteyNice said:
This doesn't seem to work any more. I got a new 4K Max stick and before I plugged it in I made sure your US server was setup as my router's DNS to assign to DHCP clients. It still found an update and rebooted to install it before I could unplug the router.
Click to expand...
Click to collapse
Are you sure your ISP does not replace dns answers by their own?
Ighor said:
Are you sure your ISP does not replace dns answers by their own?
Click to expand...
Click to collapse
Yes, I am sure. I changed it from a pi hole I setup that I know works.
PeteyNice said:
Yes, I am sure. I changed it from a pi hole I setup that I know works.
Click to expand...
Click to collapse
While DNS server is local, pi hole is, ISP can't replace dns requests.
It is possible only for remote DNS servers, like mine.
What is nslookup answer of the line posted in the picture of this thread?
Ighor said:
While DNS server is local, pi hole is, ISP can't replace dns requests.
It is possible only for remote DNS servers, like mine.
What is nslookup answer of the line posted in the picture of this thread?
Click to expand...
Click to collapse
It worked as expected. One thing I noticed, now that it is setup, is that it is including Google DNS along with my pi hole. I wonder if it tried Google when your server failed to resolve it.
PeteyNice said:
is that it is including Google DNS
Click to expand...
Click to collapse
it is using random, or both at the same time, and of course in my DNS it failed, so it take DNS answer from the second DNS
To get it work, only my DNS server need to be set.
Also please don't set my DNS server to your router, but to Fire TV directly. Because to prevent domain bruteforce by scammers, I made special conditions when it works and when doesn't. And if you turn off your Fire TV for a while, my DNS will stop working next day for your IP.
Noticed that the set DNS ip's were being Bypassed on my FireHD tablets while running Rethink(DNS), a great DNS+Firewall app @ rethinkdns.com for more info if you don't already know about it; anyways, my router points towards two Adguard DNS ip's and somehow the Android System or FireOS itself was still trying to use a third DNS <net.dns3=8.8.8.8>.
So, to stop some of this extra chatter, I've since routed the third DNS to localhost on two different FireHD tablets and my 2nd Gen. FireTV Cube without any adverse effects.
ADB shell:
Code:
settings put global default_dns_server "127.0.0.1"
reboot
*note: need to reboot for it to wipe out the default third dns.
Question, is there any reason not to do this? Let me know.
What firmware is your FireTV on? Any idea how long it's been using the 3rd DNS?
I wonder if being able to fall back to a 3rd DNS might be one way for Amazon to bypass DNS-based OTA blocks.
Finnzz said:
What firmware is your FireTV on?
Click to expand...
Click to collapse
My Cube2 is on FireOS 7.6.3.3 (PS7633/3445).
Finnzz said:
Any idea how long it's been using the 3rd DNS?
Click to expand...
Click to collapse
I think it has been like this forever. I can't remember where, but in one forum it was mention that Android would try to bypass the set DNS, since that time I have used that ADB command above to point to Cloudflare or Adguard, but recently had the idea that I should just null out the query by sending it the localhost 127.0.0.1 instead.
Finnzz said:
I wonder if being able to fall back to a 3rd DNS might be one way for Amazon to bypass DNS-based OTA blocks.
Click to expand...
Click to collapse
I'm thinking that the usage of the third DNS is just for a "Hello, I'm Here" type of ping query that Google or Amazon added to Android, some type of tracking fallback, or Amazon Alexa's ability to create a third network for Echo/Ring bullsh*t subnet communications.
If you have a FireHD tablet with Google Play Store, install the app SetEdit_SettingsDatabaseEditor, it can quickly query Android Properties and "net.dns1" && "net.dns2" will be your router's default DNS servers and "net.dns3" will be Google's 8.8.8.8 DNS.
Ok, if it's been using that DNS for a long time it may not be anything to worry about.
I always worry about Amazon sneaking in a Trojan and then not activating it for an update or more.
I'm just waiting them to do something about DNS based OTA blocking.