to log the connections from my Amazon Fire HD 10 tablet (whose MAC is represented by '11:22:33:aa:bb:cc').
After some hundreds of lines, I get to this line and many others like it:
23:38:30.564161 IP FIRE10.lan.47632 > ec2-3-228-179-21.compute-1.amazonaws.com.443: Flags [.], ack 4445, win 377, options [nop,nop,TS val 105511 ecr 3011436181], length 0
which seems to say that a device identifiable as IP FIRE10.lan.47632 has made a connection to a subdomain of compute-1.amazonaws.com.
I am assuming that IP FIRE10.lan.47632 is my Fire 10 device. But even if I were wrong about that, it seems unambiguous that the destination was a subdomain of compute-1.amazonaws.com.
I don't really know how to read a tcpdump screen and may be misinterpreting.
What should be my next step?
The aim is to make compute-1.amazonaws.com and all its subdomains unreachable from my router and any device having Internet connection through it.
One random idea I have is that the device may have gone via a different domain to compute-1.amazonaws.com, whereupon compute-1.amazonaws.com made an inbound connection. Would there be a way to block both outbound and inbound connections? Does either a list server or list address entry already block both outbound and inbound connections? Or do they only block the outbound?
add option logqueries 1 to your dnsmasq config. instead of tcpdump you can view what happens DNS wise via logread (a bit friendlier)
check your tablet if it is really using your owrt DNS server. if not then you can use tcpdump to filter host and port 53 what is the real DNS server. if your tablet is not using basic DNS but secure one, or over HTTPS, over TLS, over Quic etc then it'll be harder to catch. some apps has built-in DNS server list ...
in theory list server or list address /domain.com/ filters out all subdomains as well, not just the top one.
adblock package is DNS filtering solution and it is using address=// format, and you can also add your own blacklist and can enforce all clients on the network to use owrt ... as last resort you may check too this app.
Sorry. I misspoke. I mean the other option, what you called "change them." If that means changing the tablet's own hardcoded DNS settings, that would not seem very promising and I am down to pavelgl's second link?
As for the box starting with hostip=$(nslookup, I understood that they were two lines to be executed (i.e. entered into Terminal) separately. The first line simply returned me to prompt without any output. The second line (i.e. tcpdump etc.) gave me output in which, again, I found connection both going to and coming from subdomains of amazonaws.com.