Just wanted to give a heads-up that this did not work for me. I have those three domains blocked in Pi-hole and yet my Scribe updated from 5.16.9 to 5.16.21 when I toggled off airplane mode for around 20 minutes this morning.
I can confirm that some requests to softwareupdates.amazon.com were correctly blocked; no requests to the other two domains were made. There were several requests to random cloudfront.net subdomains, but not specifically to
prod.ota-cloudfront.net.
There were also a number of suspicious calls to amazon-owned domains around the time of the update, but it's hard to say which ones are directly related to the update. (Unfortunately I don't know exactly when the update was downloaded, and there's a lot of traffic on my network right now.)
- pins.amazon.com
- api.amazon.com
- kindle-time.amazon.com
- ntp-g7g-amazon.com
- cde-ta-g7g.amazon.com
- todo-ta-g7g.amazon.com
- s3.amazonaws.com
- s3.us-east-1.amazonaws.com
- sync.datamate.kindle.amazon.dev
- prod.eu-west-1.mystique.digital-books.amazon.dev
- daols-opf-eu.amazon.com
- unagi-na.amazon.com
- device-messaging-na.amazon.com
Plus other similar ones on amazon.co.uk.
Anyway, just wanted to highlight that unfortunately this method is not safe currently.