A step-by-step guide to configure a Raspberry Pi 4 as a WiFi AP with DNS blocking capabilities, tailored to overcome hard-coded DNS settings in Fire TV for an ad-free experience.

WiFi_AP_Fire_TV_Custom_AP.md

Raspberry Pi 4 - WiFi Access Point with DNS Blocking and Pi-Hole Integration

This tutorial will guide you through setting up a Raspberry Pi 4 as a WiFi Access Point (AP) and blocking specific DNS servers, using 8.8.8.8 as an example.

Why should you do this?

You're setting up a Raspberry Pi 4 as a WiFi Access Point (AP) to gain more control over your network, specifically to address limitations in your current router. The primary goal is to block specific DNS servers, like 8.8.8.8, which some devices, such as the Fire TV, use by default. By doing so, you aim to prevent these devices from bypassing your preferred DNS settings, which you've configured to block ads using Pi-Hole. This setup ensures a consistent ad-free experience across all devices connected to the AP, even if they have hardcoded DNS settings.

Prerequisites

• Raspberry Pi 4 (tested) or similar.
• Raspbian OS (or similar) installed
• Internet connection via Ethernet
• Pi-Hole running as a Docker container (Note: Port 53 is already in use by Pi-Hole)
• Let's assume that I have two Pi-Hole(s) running at 192.168.1.82 and 192.168.1.81

Setup

1. Set Up the Raspberry Pi as a WiFi Access Point:

# Update and install necessary packages
sudo apt update
sudo apt install hostapd dnsmasq

# Stop and disable the services for now
sudo systemctl stop hostapd
sudo systemctl stop dnsmasq
sudo systemctl disable hostapd
sudo systemctl disable dnsmasq

Configure a static IP for the wlan0 interface by editing /etc/dhcpcd.conf and adding:

interface wlan0
    static ip_address=192.168.10.1/24
    nohook wpa_supplicant

Restart the dhcpcd service:

sudo service dhcpcd restart

Configure hostapd for the WiFi AP by editing /etc/hostapd/hostapd.conf and adding:

interface=wlan0
driver=nl80211
ssid=Your_WiFi_Name
hw_mode=g
channel=7
wmm_enabled=0
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=Your_WiFi_Password
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP

Now, tell hostapd where to find the configuration:

sudo nano /etc/default/hostapd

Replace #DAEMON_CONF="" with DAEMON_CONF="/etc/hostapd/hostapd.conf"

Configure dnsmasq:

sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig
sudo nano /etc/dnsmasq.conf

Add:

interface=wlan0
dhcp-range=192.168.10.2,192.168.10.20,255.255.255.0,24h
dhcp-option=6,192.168.1.81,192.168.1.82

Enable and start the services:

sudo systemctl enable hostapd
sudo systemctl enable dnsmasq
sudo systemctl start hostapd
sudo systemctl start dnsmasq

2. Block Connections to 8.8.8.8:

sudo iptables -A FORWARD -d 8.8.8.8 -j DROP
sudo netfilter-persistent save

3. Enable IP Forwarding and Set Up NAT:

Edit /etc/sysctl.conf and add or uncomment:

net.ipv4.ip_forward=1

Apply the changes:

sudo sysctl -p

Set up NAT:

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
sudo netfilter-persistent save

Troubleshooting

⏩ Troubleshooting (Expand to learn more) ⏩

1. Internet Not Accessible from Client Devices

If after setting up the WiFi AP on the Raspberry Pi, the client devices can connect to the WiFi but cannot access the internet:

• Check IP Forwarding: Ensure that IP forwarding is enabled. You can check this with:

  cat /proc/sys/net/ipv4/ip_forward

  If it returns 0, IP forwarding is disabled. Enable it with:

  echo 1 > /proc/sys/net/ipv4/ip_forward

• Check NAT Rules: Ensure that the NAT rules are correctly set up in iptables. The NAT rule is responsible for translating addresses and allowing the connected devices to share the Raspberry Pi's internet connection.

• Restart Services: Sometimes, simply restarting the dnsmasq and hostapd services can resolve connectivity issues:

  sudo systemctl restart dnsmasq
  sudo systemctl restart hostapd

2. Specific IP Addresses Not Being Blocked

If you've set up rules to block specific IP addresses (like 8.8.8.8) but devices can still access them:

• Check iptables Rules: Ensure that the rules are correctly set in iptables. You can view the rules with:

  sudo iptables -L -n -v

• Rule Order Matters: In iptables, the order of rules matters. If there's a rule allowing traffic to an IP before a rule blocking it, the allow rule will take precedence. Ensure that block rules are placed before any allow rules for the same IP.

3. Clearing App Cache on Fire TV using ADB

To clear the app cache for all applications on your Fire TV:

1. Connect to the Fire TV via ADB:

   adb connect 192.168.10.15

2. List all installed packages:

   adb shell pm list packages

3. Clear cache for each package: For each package name (e.g., com.example.app), run:

   adb shell pm clear com.example.app

   Note: This command not only clears the cache but also clears the data for that app, resetting it to its default state. If you only want to clear the cache and not the data, find the cache directory for each app (typically in /data/data/com.example.app/cache or /data/user/0/com.example.app/cache) and clear it manually with:

   adb shell rm -r /data/data/com.example.app/cache/*

Caution: Always be careful when using commands like rm -r as they can delete directories and their contents. Ensure the path is correct before executing.

Conclusion

You should now have a Raspberry Pi 4 set up as a WiFi AP with specific DNS servers blocked. Connect your devices to this AP to benefit from the DNS blocking.