For the big files let’s start torrenting. I keep specific things seeded at all times.
If you leave your browser’s DNS config set to “Secure DNS” or other aliases, you are also being subjected to censorship.
Secure DNS is a way for the browser to force you to use a DNS provider of their choice who, in many if not most instances, engages in blacklisting and filtering of DNS results.
If you want to filter your DNS results and block malicious code (the ostensible reason why they do this), then run your own Pi-hole server (available to run as TrueNAS App) and you get to choose what is censored.
Don’t fool yourself, there is censorship going on all across the Internet and around the world.
6 Likes
In Spain it’s the same—“LaLiga,” a private company, acts like a mafia and blocks tons of IPs, many with no connection to the piracy of that damn football… I haven’t been able to update the NAS all week 
And all with the judges’ blessing—elderly gentlemen who probably have no idea how the internet works… I hope it’s all just ignorance, because otherwise…
1 Like
If it’s DNS based blocking, then running your own local recursive name server probably helps. PiHole on a Raspberry Pi for example, if you do not want to go “full OPNsense”.
Moreover, the reports are made by ordinary people (from those lobbies) that make a lot of embarassing mistake → providers must react so quickly under heavy pressure that they (IMHO legittimally) can’t have time to perform any good control → then they start take up pieces and the time to fix mistakes Is obscenely long.
Unlucky also IP blocking Is involved, only a VPN should fix this but they realized that, and they start ostracizing VPN providers too. Is not more granted that all VPN are available for us (look that). Italian VPN (for me in Italy) afaik have also to perform same ISP actions
1 Like
What would happen if you use a VPN to pretend you’re not in Italy, so that you can purchase a VPN service that does not allow new subscriptions for Italian residents? 
5 Likes
Ahahah i can’t screenshot the page from smartphone but damn It works ahahah
VPNCEPTIONNNN
4 Likes
Rent a VPC for a fiver per month at DigitalOcean or Vultr, deploy your own WireGuard …
That’s what I did to bypass geofencing.
1 Like
This issue is affecting me in Canada but I use Cloudflare DNS 1.1.1.1.
EDIT
I’m also using pfBlockerNG which is the likely culprit.
root@mini-r[~]# dig @1.1.1.1 download.sys.truenas.net
; <<>> DiG 9.18.28-1~deb12u2-Debian <<>> @1.1.1.1 download.sys.truenas.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21831
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;download.sys.truenas.net. IN A
;; ANSWER SECTION:
download.sys.truenas.net. 7200 IN CNAME link.storjshare.io.
link.storjshare.io. 45 IN A 136.0.77.2
;; Query time: 52 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Fri Aug 29 15:29:28 EDT 2025
;; MSG SIZE rcvd: 101
I’m not seeing any issues against 1.1.1.1 - we do occasionally see issues with “malware protection” DNS flagging storjshare.io as a “File Sharing” site though.
pfBlockerNG strikes again. It’s on a list somewhere.
Running your own pi-hole server is not enough. You need to fully hijack your networks DNS traffic to compensate for DOH, DOT and normal DNS. DOQ is not really a thing.
You hijack all DNS traffic and force it thought your DNS server of choice.
I use pfsense firewall rules to do this but I do not use pi-hole I use quad9 over tls through pfsense.
2 Likes
There’s a lot I could say in response to this, but instead I will just keep it short and wish you the best of luck with that over there (in the states).
1 Like
I also do this.
My browser is set up to not do DoH/DoT on it’s own.
DHCP hands out my piholes as the DNS servers and they in turn do my DNS lookups securely instead. Not trusting that I also intercept all DNS traffic not coming from said Piholes and redirect them there.
I currently use Cloudflares “unfiltered” DNS (1.1.1.1), but I suspect that may change during the coming year or two due to increased federal “pressure”.
A lot of people thing if they just change their DNS server it enough. Took me ages to get my rules solid.
2 Likes
TrueNAS does not use DoH or DoT so pointing TrueNAS at your own recursive resolver should definitely be enough for all DNS based blocks.
Whatever your browser does is irrelevant in the context of this thread. It’s not your browser checking for updates but the TrueNAS system itself.
Of course it’s a good idea to get as independent and relying on open source solutions as possible, so I, too, run my local OPNsense, block all external DNS including DoT and DoH etc.
But the initial question is how to get TrueNAS to update. A local resolver should be enough - if (again) it’s DNS based blocks. You could run one in a VM or an LXC container on TrueNAS.
Admittedly, I didn’t go into detail, but I am using DNS redirects because there may be clients on my network that hardwire DNS servers.
I have no reason to think the TrueNAS OS itself is one of those malicious clients, at least not at this point.
Having said that, the browser settings DO matter in some part, since it’s the browser that tries to load the App icons when you go to the Apps-page, not the middleware.
Edit, half joke, half serious:
Perhaps iX should start offering prewritten USB-sticks for sale? Call them… Fish sticks! * ba dum tish*
2 Likes
I just block that so I would probably catch these clients and simply not use such devices.
You are right, but … icons 
I am really only trying to get the fundamentals straight for people to have their TrueNAS system update again.
We have a ton of guides and discussion about “the best DNS solution” over on the OPNsense forum 
Some people swear by using an encrypted upstream - and I am not claiming there are none with a reasonable privacy policy. I personally prefer to be as independent as possible so I never use upstream DNS servers, only a local recursor,
Kind regards,
Patrick
Yeah, maybe I am not the best advocate for icons, all mine have the grey shape TN-logo.
But I think having the official apps download the apps icon every time is a flawed approach. They should be stored locally when the app is installed.