If you own a Roku streaming media player or Roku TV and want to disable the advertisements that occupy one-third of the Home screen, you will discover that Roku does not provide you a way to opt out.
Don’t be deterred. If you are technically savvy and motivated, this article documents how to engineer an ad-free Roku home screen — like this one.
A summary of what needs to be done (overview)
There is more than one way to remove Roku ads. If you are a talented technical engineer, this is what you are trying to accomplish.
- Prevent your Roku from reaching a list of domains (see below)
- Provide your Roku a fixed/static IP address
- Prevent your Roku from using DNS port 53 for LAN to WAN queries
Settings within the Roku (easy)
Most of the steps that you will take to remove ads resides outside of the Roku. If you simply want a little more privacy and fewer customized ads, at least perform these easy steps on your Roku.
Roku Features to Disable:
- Roku TV > Settings > Privacy > Advertising > Limit ad tracking (enabled)
- Roku TV > Settings > Privacy > Advertising > Reset advertising identifier (do this often)
- Roku TV > Settings > Privacy > Smart TV experience > Use info from TV inputs (not selected)
- Roku TV > Settings > Privacy > Smart TV experience > Enable auto notification (not selected)
- Roku TV > Settings > Home Screen > Featured Free > Hide
- Roku TV > Settings > Home Screen > Movie Store and TV Store > Hide
- Roku TV > Settings > Home Screen > My Offers > Hide
Block these domains (medium)
Using some network capturing tools, I logged about fifty unique IP addresses the Roku attempts to access within the first two minutes of it powering on. Blocking them all would result in a loss of functionality. Instead, you want to prevent the Roku from accessing just the following domains (LAN to WAN traffic).
Perhaps the easiest way to do this is to use either NextDNS.io or a Raspberry Pi Pi-Hole as your DNS provider, and subscribe to the Lightswitch05 Ads & Tracking block list. All of the domains above, except for amoeba-plus.web.roku.com and wwwimg.roku.com (in bold) were already included in Lightswitch05’s block list at the time of writing.
I accomplished DNS filtering by installing ASUSwrt-Merlin on my home router. I then configured my router to use NextDNS.io as the router’s DNS-over-TLS / DNS-over-HTTPS source. Using NextDNS.io at the router level will help you block ads for all devices on your home network, not just your Roku.
Here’s how I configured my home router to use NextDNS.io.
And how I configured NextDNS.io to filter out most Roku ads and tracking.
- NextDNS.io > Privacy > Blocklists > Add > Lightswitch05 Ads & Tracking
- NextDNS.io > Privacy > Native Tracking Protection > Add > Roku
- NextDNS.io > Denylist > Add > amoeba-plus.web.roku.com (missing from Lightswitch05)
- NextDNS.io > Denylist > Add > wwwimg.roku.com (missing from Lightswitch05)
Once you have a DNS filtering solution in place and have configured your home router to use it, all devices on your network should (by default) have their DNS traffic filtered. Except for the Roku, of course, which has hard coded its own public DNS source for some of its queries.
Provide your Roku a static/fixed IP address (medium)
To perform the last step, which involves creating firewall rules, you need to first provide your Roku a static IP address. I accomplish this by letting DHCP provide the Roku a dynamic IP address, and then configure my router to always reserve that IP for the Roku.
- ASUSwrt-Merlin > LAN > DHCP Server > Manually Assigned IP
Firewall LAN to WAN Port 53 (hard)
DNS queries traditionally use Port 53 via TCP or UDP. You want to force your Roku to always use your router (and thus NextDNS or Pi-Hole) for all of its DNS queries.
In order to prevent your Roku from quering Google’s public DNS servers at 220.127.116.11 and 18.104.22.168 directly, you’ll need to configure a network firewall to block LAN to WAN traffic over Port 53 (TCP and UDP).
How to do this differs for each router. Here’s how I did it using ASUSwrt-Merlin.
- ASUSwrt-Merlin > Firewall > Network Services Filter > Enable
- ASUSwrt-Merlin > Firewall > Network Services Filter Table > add these two entries
- Entry 1 > Source IP (the static LAN IP address of your Roku), Destination Port Range 53, Protocol TCP
- Entry 2 > Source IP (the static LAN IP address of your Roku), Destination Port Range 53, Protocol UDP
That should do it. Reboot your router to clear your DNS cache then reboot your Roku. Hopefully you will be rewarded with an ad-free Roku.
Removing Roku ads will take some work. And for some of these steps, like installing ASUSwrt-Merlin or a Pi-Hole, take some effort and require specific hardware you might not yet own. There are likely other ways to perform these steps on your own hardware — but I leave that to you. You know what needs to be done, and now just have to figure out how to do so if you want an ad-free Roku.