This guide is a updated version of @Tgames [TUTORIAL] Blocking online updates and play online with CCProxy over at GBAtemp
A DNS workaround didnt seem to work so this is the solution.
Game updates will only work on latest firmware as this cannot avoid Nintendo firmware check
Supernag can be cleared using this

---

INSTRUCTIONS

---

WindowsLinux or Raspberri PIMacOSConfigure Switch

1. 
   Windows
   

   ---

   
   Requirements:
   
   • Windows XP or above (tested and running on 10)
     
   • A PC with same wifi access point as 3ds,wiiu and/or switch
     
   • PC needs to stay on to keep proxy running
     
   • Download Nintendo Server List
     
   • Download and install CCProxy v8.0

   ---

   
   Click on "Options"
   
   Spoiler: image

   
   
   Fill it like the picture:
   
   • Set the proxy port to 8080, the other related ports will change.
     
   • You can set to different port if 8080 is being used (808, 1080, etc)
     
   • The ip address to the right of the port should show your ip. may work on 0.0.0.0
   Spoiler: image

   
   Click on "Advanced" then choose "Networks" tab.
   Check "Disable External Users" for security reasons.
   
   If you want to allow external users (friends, family, internet) to use your proxy server, uncheck this. You may need router modifications for this to work.
   
   Click on "OK" and then again on "OK"
   
   Spoiler: image

   
   You come back here:
   
   Spoiler: image

   
   
   Click "Account"
   
   Under Permit Category Set the option to "Permit only" users using proxy based on Auth Type "MAC Address"
   Click on "Web Filter"
   
   Spoiler: image

   
   Fill it like the picture:
   
   • Set the name for your filter
     
   • Check "Site Filter"
     
   • Set "Forbidden Sites" radio choice
     
   • Click the ... and select downloaded nintendo_filter.txt This list will block all Nintendo eShop access and updates on wii, wiiu, 3ds and switch. You can open nintendo_filter.txt and add more
     
   • Click on "OK"
   Spoiler: image

   
   You will come back here
   Click on "New"
   
   Spoiler: image

   
   Fill it like the picture:
   
   • Set a User name for this account (Nintendo Switch)
     
   • Enable this account
     
   • Filter by MAC Address (enter the WiiU or Switch MAC address here)
     
   • Check "Web Filter" and select the previously defined filter rule.
   Spoiler: image

   
   In this picture, the MAC address for CCProxy is 8ccde8886752 (no spaces, hyphen or colon)
   
   Spoiler: image

   
   
   Click "OK"
   
   Spoiler: image

   
   
   You can create another Account for another console if you want. Just follow above steps with New name and MAC address, be sure you check Web Filter and select previously used rule.
   
   Now the PC is hosting a proxy server
   
   Lets move onto the switch, Click the "Configure switch proxy tab
   
   If everything went correct you should now see a active connection in your CCProxy panel. To truly see if Nintendo update server request are ignored.
   
   Spoiler: image

   
   Click "Monitor"
   
   Spoiler: image

   
   
   You should see all traffic with rejections in red.
   
   Done!
   Now Configure Switch
   
   This will block firmware downloading from nintendo's update server. This will work with Nintendo 3ds, Wii U and Switch
   
   If anyone figures out more addresses to block post results here
   for nintendo switch following two servers were denied i also added google sun.hac.lp1.d4c.nintendo.net beach.hac.lp1.eshop.nintendo.net googletagmanager.com google-analytics.com
   
   
2. 
   Linux
   

   ---

   
   Requirements:
   
   • Linux or your favorite distro
     
   • A Device with same wifi access point as 3ds,wiiu and/or switch
     
   • Device needs to stay on to keep proxy running
     
   • Squid3

   ---

   
   
   • Update and download package lists
   • Install Squid3

   sudo apt-get update
   sudo apt-get upgrade

   sudo apt install squid3

   • Download nintendont-squid.conf.txt

   sudo apt-get install wget
   cd /etc/squid3/
   wget https://nofile.io/f/yXnHxDBqWUm/nintendont-squid.conf.txt
   mv nintendont-squid.conf.txt squid.conf

   • Download nintendont-squid-blacklist.txt

   cd /etc/squid3/
   wget https://nofile.io/f/rVocC7oPN1c/nintendont-squid-blacklist.txt or goto download location
   mv nintendont-squid-blacklist.txt nintendont-blacklist.aci

   • Restart squid

   systemctl restart squid3
   
   or
   
   /etc/init.d/squid3 restart

   
   Configure proxy in Switch Settings (Port: 3128, no authentication)
   
   Confirmed working using Squid Version 3.3.8 (Docker image: sameersbn/squid)
   
   If you want to use your own squid.conf, just add these two lines to your existing squid.conf:
   

   acl bad_url dstdomain "/etc/squid3/nintendont-blacklist.acl"
   http_access deny bad_url

   
   Done!
   Now configure Switch
   
3. 
   Macintosh
   

   ---

   
   Requirements:
   
   • MacOS
   • A Device with same wifi access point as 3ds,wiiu and/or switch
   • Computer needs to stay on to keep proxy running
   • Squidman
   • nintendont-squid-blacklist

   ---

   
   
   
   • Download nintendont-squid-blacklist
     
     • Copy this file to your Documents folder
   • Download SquidMan
   After downloading SquidMan open the dmg file and move the SquidMan application into your Applications folder.
   
   Spoiler: image

   
   • Configure your proxy
   Spoiler: image

   
   • Click Clients > Preferences. Then click on "New" and add your IP range.
     
   • Add ip adresses of your console range
     • exp: switch is 192.168.1.24 and 3ds is 192.168.1.11
       • So range we will cover is 192.168.1.0 to 192.168.1.24
   Spoiler: image

   
   • Click Template
   Find and edit ACCESS CONTROL scroll down look for %DIRECTHOSTS%
   
   Spoiler: image

   
   
   and under put in

   acl bad_url dstdomain "/users/usernamegoeshere/documents/bad-sites.squid"

   As shown in example below.
   
   Spoiler: image

   
   Scroll a little down from above to http_access par and add
   

   http_access deny bad_url

   
   
   Spoiler: image

   
   Your Template should look like this
   
   Spoiler: Template

   # Access Control lists
   acl SSL_ports port 443
   acl Safe_ports port 80        # http
   acl Safe_ports port 21        # ftp
   acl Safe_ports port 443        # https
   acl Safe_ports port 70        # gopher
   acl Safe_ports port 210        # wais
   acl Safe_ports port 1025-65535    # unregistered ports
   acl Safe_ports port 280        # http-mgmt
   acl Safe_ports port 488        # gss-http
   acl Safe_ports port 591        # filemaker
   acl Safe_ports port 777        # multiling http
   acl CONNECT method CONNECT
   %ALLOWEDHOSTS%
   %DIRECTHOSTS%
   acl bad_url dstdomain "/users/usernamegoeshere/documents/bad-sites.squid"
   
   # Only allow cachemgr access from localhost
   http_access allow localhost manager
   http_access deny manager
   http_access deny bad_url

   Start the proxy server
   
   Spoiler: image

   
   
   Done!
   Now configure Switch
   
4. 
   Switch
   

   ---

   
   
   • Click "System Settings"
   • Select "internet"
   
   
   Spoiler: image

   
   
   
   • Click "Internet Settings"
   • Click "Wireless network name"
   • Click "Change Settings"
   Spoiler: image

   
   • Turn "Proxy Settings" to ON
   Set server to the ip address of your computer (your internal network ip 192.168.*.*)
   
   Set the port to 8080 if you didn't use alternative 808, 1080 or 3128 (Linux)
   
   Leave "Auto-authentication" OFF
   
   • Click Save
   CONGRATULATIONS!
   

 

[huma_dawii]

PC needs to stay on to keep proxy running

That's a no right there...

 

[DiscostewSM]

PC needs to stay on to keep proxy running

That's a no right there...

We need a RPi alternative.

 

[quacka]

We need a RPi alternative.

If you want this on RPI, get squid proxy and apply the same web filter. Should achieve the same result.

 

[Type_O_Dev]

PC needs to stay on to keep proxy running

That's a no right there...

yes as it will be proxy server

If you want this on RPI, get squid proxy and apply the same web filter. Should achieve the same result.

That will work

 

[ShinAbo]

Can i do this with my router ? adding the sites to the firewall ?

 

[Jungle_Jon]

I assume this does nothing to block firmware updates ?

 

[Type_O_Dev]

Can i do this with my router ? adding the sites to the firewall ?

Yes

I assume this does nothing to block firmware updates ?

Read the title

 

[Moquedami]

So with this method i would be able to update games in my 4.1 switch without upgrading. is that right?

 

[Type_O_Dev]

So with this method i would be able to updte games in my 4.1 switch without upgrading. is that right?

Correct

 

[Moquedami]

That's just what i needed.
I am going to try this tonight when i get home

 

[Rob Blou]

Correct

Incorrect. You'll get the error message saying that you need to update your system to proceed. Same with eShop and everything else.
I rememeber on Vita we had a similar method where you could also spoof you firmware version directly within the proxy. I wonder if something similar would work.

 

[Type_O_Dev]

Incorrect. You'll get the error message saying that you need to update your system to proceed. Same with eShop and everything else.
I rememeber on Vita we had a similar method where you could also spoof you firmware version directly within the proxy. I wonder if something similar would work.

You can update games with this method

 

[Rob Blou]

You can update games with this method

He was asking if he could upgrade games on FW 4.1 and you can't. You can on 5.1 though.

 

[Jungle_Jon]

He was asking if he could upgrade games on FW 4.1 and you can't. You can on 5.1 though.

if you are on 5.1 you can update anyway this method does nothing

 

[Rel]

Nice, this will come in handy in case I need to update my games and not update my firmware.

 

[willhack]

But let's say ninty pushes a new update (i.e 5.2.0) will we be able to still update games on 5.1 with this method ?

 

[Type_O_Dev]

But let's say ninty pushes a new update (i.e 5.2.0) will we be able to still update games on 5.1 with this method ?

This blocks the server that pushes updates, You may still get the update nag. When the console goes to do a update it will fail to download. You can also monitor traffic and add more addresses to list

 

[maxx488]

I used to do this, its a copy paste from a reddit post.

I dont see the point of this anymore... just update jeezzz

 

[Type_O_Dev]

I used to do this, its a copy paste from a reddit post.

I dont see the point of this anymore... just update jeezzz

The reddit post is mine and this is still useful