DNS redirection

Once the tool is positioned in the traffic path via ARP spoofing, it can intercept every DNS query your Roku sends and forward them to Pi-hole instead of the default DNS server.

How DNS works

DNS stands for Domain Name System. When your Roku wants to connect to a server — to load an ad, stream content, or send telemetry — it first sends a DNS query to resolve the domain name (like ads.example.com) to an IP address. A DNS server receives the query and returns either the IP address or an error if the domain doesn’t exist. Without DNS, your Roku cannot reach any remote host by name. This makes DNS the ideal place to intercept and filter unwanted traffic.

Why you can’t change the Roku’s DNS directly

Roku devices do not expose a DNS setting in their UI. The DNS server your Roku uses is typically assigned by your router via DHCP when the device connects to the network. To change it, you would normally need access to your router’s settings — something you may not have on a shared or managed network. The tool bypasses this entirely by intercepting DNS queries in transit, before they ever reach the router or its configured DNS server.

How DNS interception works

Because ARP spoofing redirects your Roku’s outbound traffic to your machine, every packet — including DNS queries — passes through Scapy’s packet capture. The tool inspects each packet and checks whether it is a DNS query (a UDP packet on destination port 53). When it finds one, it rewrites the destination IP to your Pi-hole server’s address and forwards it. From Pi-hole’s perspective, it receives a normal DNS query. It has no knowledge that the query originated from a Roku device.

How Pi-hole filters queries

Pi-hole maintains a blocklist of known ad, tracker, and telemetry domains. When it receives a DNS query, it checks the requested domain against its blocklist:

• If the domain is not blocked, Pi-hole resolves it normally and returns the real IP address.

• If the domain is blocked, Pi-hole returns either NXDOMAIN (domain does not exist) or 0.0.0.0 / :: (a null IP address). Your Roku receives this response and cannot connect to the blocked domain.

Pi-hole blocks a broad range of unwanted traffic from Roku devices, including:

• Ads: domains that serve banner, video, and interstitial advertisements

• Trackers: domains that collect usage data, viewing habits, and behavioral analytics

• Telemetry: domains used for device diagnostics and performance reporting back to Roku and third-party partners

You can extend Pi-hole’s default blocklists with additional community-maintained lists to broaden coverage.

How the full DNS flow works

1

Roku sends a DNS query

Your Roku wants to connect to a remote host. It generates a DNS query for the domain name and sends it toward what it believes is the router (but is actually your machine, due to ARP spoofing).

2

Your machine intercepts the query

Scapy captures the packet on your network interface. The tool identifies it as a DNS query by inspecting the protocol and destination port (UDP port 53).

3

Query is forwarded to Pi-hole

The tool rewrites the destination IP address in the packet to point to your Pi-hole server and forwards it. The query arrives at Pi-hole looking like a normal DNS request.

4

Pi-hole checks its blocklist

Pi-hole looks up the requested domain in its blocklist. If the domain is known to serve ads, tracking scripts, or telemetry, it marks the query for blocking.

5

Pi-hole returns a filtered response

For blocked domains, Pi-hole returns NXDOMAIN or a null IP. For allowed domains, it returns the real IP address resolved from an upstream DNS provider.

6

Response is forwarded back to the Roku

The tool receives Pi-hole’s response and forwards it to your Roku. Your Roku processes the response: it either connects to the resolved IP (for allowed domains) or fails to connect (for blocked domains), effectively suppressing the ad or tracker.