You Built a Network of Snitches
You didn't get hacked. You just bought a bunch of devices that were designed to spy on you. Time to take your network back.
Most home network security advice gets the threat model backwards. You'll read about keeping hackers out, changing default passwords, maybe setting up a VPN if you're feeling fancy, and all of that is fine as far as it goes, but it completely misses where the actual problem is. The bigger threat to your privacy isn't some attacker trying to break in from the outside,it's all the traffic flowing out from the inside, from devices you bought and paid for and invited onto your network because they promised to make your life more convenient.
Your smart TV reports what you watch back to Samsung or LG or whoever made it, and this isn't some secret conspiracy, it's right there in the terms of service that nobody reads. Your phone maintains a constant connection to Google or Apple, feeding back location data and app usage and search history and god knows what else. That cheap smart plug you grabbed off Amazon is chattering away to a server somewhere in Shenzhen. Meanwhile your ISP sits in the middle of all of it, logging every DNS request that passes through their infrastructure, building a tidy profile of everywhere you go online even if you're using HTTPS for everything, because DNS happens before the encryption and they can see every domain you're trying to reach.
None of this requires a security breach or a sophisticated attack. You weren't hacked. These devices are working exactly as designed, and they were designed to extract as much data from you as possible.
What You're Actually Defending Against
When I started thinking seriously about my home network, I had to get honest about what I was actually worried about, because "security" is a vague concept that can mean anything from nation-state attacks to keeping your neighbor off your wifi. My actual concerns came down to a handful of things that probably overlap with yours if you're reading this.
ISP snooping was near the top of the list, because I'm paying these people a hundred bucks a month and they're turning around and monetizing my browsing history on top of it, which feels like getting pickpocketed by the bus driver. DNS requests are sent in plain text by default, so even if every website you visit uses HTTPS, your ISP can still see that you visited i, they just can't see what you did once you got there. That's enough to build a pretty comprehensive profile of who you are, what you're interested in, what your politics are, what medical conditions you might be researching, whether you're looking for a new job, all of it.
Then there's the telemetry problem, which is really just corporate surveillance that we've all been trained to accept as normal. Google and Apple and Microsoft and Amazon have built their entire business models around knowing as much about you as possible, and they've conveniently put the tools for that data collection into every device you own. Your Android phone is basically a Google sensor package that also makes calls. Your Windows machine is constantly chattering back to Redmond. Apple talks a big game about privacy but still collects plenty of data, they're just slightly less creepy about it.
The IoT situation is even worse because at least Google and Apple are known quantities with reputations to protect. That no name smart bulb you bought runs firmware written by god knows who, phones home to servers you've never heard of, and will never receive a security update in its life. The attack surface on most IoT devices is horrifying, but even if they're not actively compromised, they're still collecting data about your home and your habits and shipping it off somewhere.
And then there's plain old advertising, the trackers embedded in every website and app, the fingerprinting and the pixels and the cookies, all of it designed to follow you around the internet and build a profile that can be sold to whoever wants it. You can run an ad blocker in your browser, but that doesn't help your TV or your tablet or your kid's devices or anything else that connects to your network.
The through line connecting all of this is that the problem isn't primarily about keeping bad actors out it's about controlling what your own devices are sending out without your knowledge or meaningful consent.
Taking Control of DNS
DNS is the foundation of everything else because it's the first thing that happens when any device tries to reach anything on the internet. Before your browser can load a webpage, before your TV can stream a show, before your smart thermostat can phone home, something has to translate that domain name into an IP address, and by default that translation request goes to your ISP in plain text where they can log it and do whatever they want with it.
The simplest fix is to change your DNS provider to something like Cloudflare or Quad9, and that's a reasonable first step that takes about thirty seconds, but you're still funneling all your queries through a single third party who can see everywhere you go online. Maybe you trust Cloudflare more than Comcast, and that's probably fair, but the ideal scenario is not having to trust anyone at all.
That's where running your own recursive resolver comes in. I use Unbound, which is a piece of software that does DNS resolution the way it was originally designed to work, before everyone started relying on big upstream providers. When you ask Unbound where reddit.com is, it doesn't forward that question to Cloudflare,it goes directly to the root DNS servers, then to the .com servers, then to Reddit's authoritative nameservers, piecing together the answer from the source. Your queries get distributed across thousands of different servers instead of concentrated with one provider, and nobody except you has a complete picture of everywhere you're going.
Pi-hole sits in front of Unbound and handles the filtering, which is where things get interesting. Pi-hole maintains blocklists of known advertising, tracking, and telemetry domains, and when any device on your network tries to resolve one of those domains, Pi-hole just returns nothing. The request never makes it past your own network. That Samsung TV trying to reach samsungads.com? As far as it knows, that domain doesn't exist. The Microsoft telemetry endpoints that Windows is constantly trying to reach? Gone. The dozens of tracking domains that load in the background every time you visit a news website? Blocked before your browser even knows they exist.
The beautiful thing about DNS level blocking is that it works for every device on your network without having to configure each one individually. You can't install an ad blocker on your smart TV or your game console or your IoT devices, but if the blocking happens at DNS, it doesn't matter what the device is or what operating system it runs. If it uses your network, it plays by your rules.
Setting up Unbound and Pi-hole on a Linux box isn't particularly difficult—Unbound is in most package managers and Pi-hole has a one liner install script but the real work is tuning your blocklists and figuring out what to whitelist when things break. You'll discover pretty quickly just how much of the modern internet is tracking infrastructure when you see the sheer volume of requests getting blocked in your logs.
Firewall Thinking Beyond the Basics
Everyone knows the basic firewall advice: default deny from WAN, don't forward ports you don't need, change your default passwords. That's all correct and you should do it, but it's also the bare minimum and it's focused almost entirely on keeping things out when the more interesting question is what you're letting out.
UPnP is a perfect example of a feature that exists purely for convenience and creates a massive hole in your security posture. The idea behind UPnP is that devices on your network can automatically open ports to the internet without you having to configure anything, which sounds great if you're trying to get your Xbox to work with voice chat or whatever, but think about what that actually means: any device on your network can punch holes in your firewall without asking permission. Malware loves UPnP because it means that once something gets onto your network, it can open up its own back door to the outside world. Turn it off. If something legitimately needs a port opened, you can do it manually, and then you'll actually know what's exposed instead of trusting every random device to make that decision for you.
Port forwarding in general is something I've become increasingly aggressive about avoiding entirely. Every port you forward to the internet is an invitation, a service sitting there waiting for connections from anyone who finds it, and unless you're absolutely certain that service is hardened and patched and configured correctly, you're taking a risk that probably isn't worth whatever convenience you're getting. I don't allow any remote access to my network at all, which some people think is extreme, but I've come to the conclusion that if I'm not home, I'm not home. I don't need to check on my security cameras from vacation badly enough to expose a video stream to the internet. I don't need to access my files remotely badly enough to run a VPN endpoint that could be compromised. The attack surface reduction from just not doing any of that is significant, and I've adjusted my habits around the limitation rather than introducing risk for convenience.
The outbound side of firewall configuration is where things get more interesting and where most people don't spend enough time thinking. Your devices are constantly making outbound connections, and most of them are connections you never asked for and don't benefit from. If your router supports it, you can get granular about what's allowed to leave, some people block entire IP ranges for countries they have no reason to communicate with, others maintain blocklists of known advertising and telemetry IPs as a backup to DNS filtering, because some particularly aggressive software will try to bypass DNS and connect directly to hardcoded IP addresses. The goal is making your network hostile to the surveillance and tracking that all these devices are trying to do, layering defenses so that even if something gets past one layer, there's another one waiting.
Segmentation and the Art of Containment
Here's the uncomfortable reality about IoT devices: most of us aren't going to throw them all away. The smart TV has a nice screen and it would be annoying to replace it with a dumb monitor. The voice assistant is genuinely useful sometimes, even if it is an always on microphone connected to Amazon's servers. The robot vacuum actually does keep the floors clean. You can take a hardline stance and refuse to have any of this stuff in your house, which is a valid choice, but most people are going to end up with at least some devices they don't fully trust but still want to use.
VLANs let you have it both ways by creating network segments that are isolated from each other. The concept is straightforward: instead of having one flat network where every device can see and communicate with every other device, you create separate zones with rules about what traffic can pass between them. Your computers and phones and other devices you actually trust go on one VLAN. The IoT garbage goes on another. Maybe you have a third for guest devices, or a fourth for work stuff if you're keeping that separate from personal, whatever makes sense for your situation.
The practical effect is that your smart TV can reach the internet to stream Netflix, but it can't see your NAS or your workstation or anything else on your trusted network. If that TV turns out to be doing something sketchy, or if it gets compromised because it's running ancient unpatched firmware with known vulnerabilities, the blast radius is contained to its own little sandbox. It can't be used as a jumping off point to attack the rest of your network because as far as it can tell, the rest of your network doesn't exist.
Setting this up requires hardware that actually supports VLANs, which immediately rules out most consumer grade routers and switches. This is one of the reasons I ended up moving to Ubiquiti equipment, not because it's the only option, there are plenty of choices in the prosumer and enterprise space, but because I needed something that would let me actually configure my network the way I wanted instead of being limited to whatever the manufacturer decided to expose through their app. The configuration isn't particularly difficult if you have a basic understanding of networking concepts, but it's definitely more involved than plugging in a consumer router and letting the wizard handle everything.
One underrated benefit of segmentation is the visibility it gives you into what your devices are actually doing. Once your IoT stuff is on its own VLAN, you can monitor that traffic and see exactly what it's trying to reach, and the results are often educational in a depressing sort of way. That robot vacuum that "just needs wifi to work" turns out to be making connections to half a dozen different servers across multiple continents. That smart plug is chattering away constantly even when you're not using it. You knew intellectually that these devices were phoning home, but seeing it in your logs makes it concrete in a way that reading about it doesn't.
Living With It
Once everything is set up, the day to day experience is mostly invisible, which is kind of the point. Pi-hole sits there quietly blocking a few thousand requests every day, Unbound resolves everything else, the firewall does its thing, and the VLANs keep everything in their respective lanes. You don't think about it most of the time because there's nothing to think about.
The main ongoing maintenance is supposedly checking Pi-hole when something breaks, because occasionally a legitimate service can get caught in a blocklist and you'll need to whitelist it. This is something you'll see mentioned constantly in Pi-hole forums and guides, and I'm sure it happens to people depending on their blocklists and what services they use, but I'll be honest,it's never actually happened to me. I set it up, tuned the blocklists, and it's just worked. Your experience might vary, especially if you're using more aggressive blocklists or you rely on services that are particularly intertwined with tracking infrastructure, but don't let the fear of constant maintenance scare you off. It might be a non issue for you too.
The other thing that becomes part of your routine, at least if you're the kind of person who finds this stuff interesting, is occasionally checking the logs to see what's being blocked and what your devices are trying to do. There's something satisfying about watching the blocked request counter tick up, knowing that each one of those is a tracking pixel or a telemetry endpoint or an ad that never made it through. You can see exactly how much of the modern internet is surveillance infrastructure, because you're watching it all bounce off your network in real time.
Is all of this paranoid? I've thought about that question a lot, and I keep coming back to the same answer: I don't think it's paranoid to want control over my own network and my own data. These companies have made it abundantly clear that they see us as products to be monetized, that our attention and our data and our habits are the raw material for their business models, and the only reason we put up with it is because opting out used to be hard. But it's not that hard. A cheap mini PC running Linux, some networking equipment that doesn't treat you like an idiot, and a weekend of configuration, and suddenly you're not participating in the surveillance economy anymore, at least not from your home network.
The devices still try to phone home, of course. They'll never stop trying. But now you can see them doing it, and you can tell them no.