Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save jamesmacwhite/6a642cb6bad00c5cefa91ec3d742e2a6 to your computer and use it in GitHub Desktop.
Save jamesmacwhite/6a642cb6bad00c5cefa91ec3d742e2a6 to your computer and use it in GitHub Desktop.
Prevent proxy/VPN streaming error messages from Netflix when using a Hurricane Electric IPv6 tunnel.

Workarounds for Netflix and the blocking of Hurricane Electric IPv6 tunnels

The dreaded "You seem to be using an unblocker or proxy." error message. Cool story bro.

This gist was essentially created out of my own rant about Netflix being hostile to IPv6 tunnel services since June 2016. You are welcome to read my opinion on the matter, this is the more technical side to the issue and how to combat it within your own network.

Since I wrote this, various GitHub users have contributed their thoughts and ideas which has been incorporated into this gist. Thank you to everyone who have contributed their own methods and implementations.

The problem

Netflix now treats IPv6 tunnel brokers (such as Hurricane Electric) as proxy servers. A while ago it became apparent to users and Netflix that somewhat by accident, IPv6 tunnel users were being served content outside of their geolocation because of the way Netflix was identifying the tunnel services and their geographical origin. The problem was further compounded by certain opportunstic indiviuals deciding to create a business model out of providing the Netflix US (and others) content library via networks like Hurricane Electric and ruined it for everyone. Netflix and friends got all stressy about it and now all IPv6 tunnel users are considered to be naughty proxy pirates. Also because big media is stuck in the 1990s, they think this block is actually effective, when in fact it just inconveniences most legitimate users, that simply want IPv6 connectivity, because their ISP is stuck in 1995.

Netflix has a help article on the matter: https://help.netflix.com/en/node/277

In the early days this article didn't mention anything about IPv6 tunnels, but now it pretty much spells out if you use a tunnel service for IPv6 you are on your own and won't get any support from Netflix about it, but there is a potential workaround. In order to maintain keeping your IPv6 tunnel active while browsing Netflix you need to basically prevent any traffic to Netflix going over IPv6 and fallback to IPv4, which will likely be using your normal WAN connection from a ISP or provider which Netflix won't treat as a proxy/VPN.

To implement such a workaround you'll need to have a DNS setup that you can fully control. You'll need to have the ability to implement one of the following implementations:

  1. Return a null response on AAAA lookups for certain Netflix domains.
  2. Conditionally forward certain Netflix domain lookups to another DNS resolver that strips AAAA records from lookup responses entirely.
  3. Block or sink hole Netflix IPv6 ranges (not recommended, explained in more detail later on).

This gist focuses on using dnsmasq (commonly found in embedded products i.e. routers) but the overall concept of modifying AAAA lookup responses can be applied to other services like unbound, bind etc.

Netflix domains that need be specially handled

  • netflix.com
  • netflix.net
  • nflxvideo.net
  • nflximg.net
  • nflximg.com
  • nflxext.com
  • nflxsearch.net
  • nflxso.net

Netflix through their Open Connect programme, also lists the top level domains which requests will come from.

Method #1: Return null on AAAA lookups with dnsmasq

The configuration below basically returns an AAAA response with a NULL address on any domains provided. The only downside to this method is you have to generate a matching server and address line for each domain, otherwise you will unwillingly remove A record responses. Your dnsmasq.conf could get quite long very quickly using this method. If you have a bulk load of domains you could write a script to output the server and address lines to a file with the domain being a variable in a loop, fed by a list or another source.

# Null AAAA response on these domains
server=/netflix.com/#
address=/netflix.com/::
server=/netflix.net/#
address=/netflix.net/::
server=/nflxext.com/#
address=/nflxext.com/::
server=/nflximg.net/#
address=/nflximg.net/::
server=/nflximg.com/#
address=/nflximg.com/::
server=/nflxvideo.net/#
address=/nflxvideo.net/::
server=/nflxso.net/#
address=/nflxso.net/::
server=/nflxsearch.net/#
address=/nflxsearch.net/::

If you are already running dnsmasq, this is the most simpliest method, without having to worry about additional configurations or services. After this configuration is applied a DNS lookup for a domain in this list would now return ::, which is the NULL response. This would prevent netflix.com requests going over IPv6 and fallback to IPv4.

; <<>> DiG 9.10.3-P4-Raspbian <<>> AAAA netflix.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6272
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;netflix.com.                   IN      AAAA

;; ANSWER SECTION:
netflix.com.            2       IN      AAAA    ::

;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Dec 28 11:23:40 GMT 2018
;; MSG SIZE  rcvd: 57

Method #2: Conditionally forward domains to a resolver that strips AAAA records

A slightly more involved method is to conditionally forward DNS requests for certain Netflix domains to another DNS resolver that will strip AAAA records from domains. In this scenario, there will be another DNS resolver running somewhere in the network.

Using dnsmasq as an example, you can define conditional forward rules like so:

# Resolve these domains with another resolver
server=/netflix.com/127.0.0.1#2053
server=/netflix.net/127.0.0.1#2053
server=/nflxext.com/127.0.0.1#2053
server=/nflximg.com/127.0.0.1#2053
server=/nflxvideo.net/127.0.0.1#2053
server=/nflxso.net/127.0.0.1#2053
server=/nflxsearch.net/127.0.0.1#2053
server=/nflxext.com/127.0.0.1#2053

127.0.0.1#2053 is the DNS resolver that will resolve the request. The DNS resolver could be anything or running anywhere. In this example, a DNS resolver is running on UDP 2053, in reality this can be anything. I will use bind for the resolver.

Creating a BIND DNS resolver that removes AAAA records from lookups

I chose bind as it has a specific parameter filter-aaaa-on-v4. The example below is a very minimal configuration for bind. Its one purpose is basically to strip AAAA records from DNS lookups. It has the advantage of being domain agnostic, meaning it will strip any AAAA records from any domain passed to it. This is useful if other services other than Netflix start blocking IPv6 tunnels in a similar fashion or simply want to force IPv4 for other services for whatever reason.

options {
	directory "/tmp";
  
 	forwarders {
		208.67.222.222;
		208.67.220.220;
  	};
  
  	forward only;

  	dnssec-enable no;

  	auth-nxdomain no;
  	listen-on port 2053 { 127.0.0.1; };
  	// listen-on-v6 port 2053 { ::1; };
  	filter-aaaa-on-v4 yes;
};

You can use any forwarders you like, the example below uses OpenDNS. If you are running this on an external facing IP address, you should be careful and make sure you only allow recursion on specific requests and ACL accordingly. Not doing so will make you an open DNS resolver, it won't take long for someone to start abusing your server and generating a high rate of traffic.

The --enable-filter-aaaa option must be enabled at compile time in order for this config to work, see this page for more information:

https://kb.isc.org/article/AA-00576/0/Filter-AAAA-option-in-BIND-9-.html

Where this resolver runs is entirely up to you. If you are running something like OpenWRT or DD-WRT you could run bind on a non-standard port like the example to avoid a port collision with an existing DNS setup i.e. dnsmasq.

Confirming AAAA records are removed from DNS lookups

Once everything is setup, you can query any of the following Netflix domains listed above against a public DNS resolver and compare the output to a query made to the additional DNS resolver you've setup.

AAAA DNS request made via Google Public DNS

Google's public DNS servers will always return AAAA records, this is what a typical request to netflix.com will look like:

dig @8.8.8.8 netflix.com AAAA
 
; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @8.8.8.8 netflix.com AAAA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21293
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;netflix.com.                   IN      AAAA
 
;; ANSWER SECTION:
netflix.com.            59      IN      AAAA    2620:108:700f::36d6:fc9
netflix.com.            59      IN      AAAA    2620:108:700f::36d6:177c
netflix.com.            59      IN      AAAA    2620:108:700f::36d6:fed
netflix.com.            59      IN      AAAA    2620:108:700f::36d6:25bf
netflix.com.            59      IN      AAAA    2620:108:700f::36d6:d62
netflix.com.            59      IN      AAAA    2620:108:700f::36d6:1cd2
netflix.com.            59      IN      AAAA    2620:108:700f::36d6:22b2
netflix.com.            59      IN      AAAA    2620:108:700f::36d6:1699
 
;; Query time: 36 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Nov 25 12:51:43 GMT 2016
;; MSG SIZE  rcvd: 264

AAAA DNS request made via the BIND DNS server we setup

Making the same request to our primary DNS resolver that has been configured to strip AAAA records, we should get no AAAA records returned, even if we explicitly request them.

dig @127.0.0.1 netflix.com AAAA
 
; <<>> DiG 9.9.9-P3 <<>> @127.0.0.1 netflix.com AAAA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36923
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;netflix.com.                   IN      AAAA
 
;; Query time: 130 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Nov 25 12:51:43 GMT 2016
;; MSG SIZE  rcvd: 40

If you get no AAAA records returned on your DNS resolver with Netflix queries, you're in business. Future Netflix connections should now only use IPv4. If you don't get the expected output this can be due to DNS caching and depending on your setup you might have to wait a bit of time for the correct DNS lookup information to be returned. You can flush the DNS cache of dnsmasq and/or on your local device. Alternatively, you may wish to reboot your router or device supplying DNS to ensure DNS caches are cleared. If you have a DNS chain, you'll need to ensure all DNS resolvers in the chain are not caching.

If you get issues like timeouts, check to make sure the DNS server is actually running and your firewall is permitting the DNS traffic, especially if using a non-standard port for DNS traffic.

Method 3: Blocking Netflix IPv6 ranges (not recommended)

While this method can work, the problem with it is that it is static and not as future proof as DNS related options. The problem is Netflix uses various content delivery networks and obtaining the ranges for them all is difficult. Netflix can also add new IPv6 ranges at anytime. While all of the workaround options can be "broken" by Netflix changing something, in my opinion domain based rules are cleaner than IPv6 ranges. Be mindful that blocking IPv6 ranges may require you to block non-Netflix networks like content delivery networks, which could have side effects for non-related services.

If however you wish to null route or block IPv6 ranges, this can be achieved like so with ip6tables:

ip6tables -I OUTPUT -d 2a01:578:3::/64 -j REJECT
ip6tables -I FORWARD -d 2a01:578:3::/64 -j REJECT

You may have to experiment with additional ranges in order to stop Netflix using IPv6 for your geolocation.

Additional configuration

You may have to implement further changes if you experience problems with Google/Android devices.

Streaming issues with Google Chromecast/Android devices

Devices like Google Chromecast don't allow direct control of the DNS servers used and always try to use Google's Public DNS resolvers (both IPv4 and IPv6), these of course will return AAAA records and will undo any DNS workaround when streaming Netflix from such a device. You can however leverage a fallback option built into Chromecast devices (and likely other Google devices), where by if you block access to the Google Public DNS resolvers, it forces the Chromecast device to use the DHCP supplied DNS information and hence the DNS workaround will work.

An example of doing this with iptables:

iptables -I FORWARD --destination 8.8.8.8 -j REJECT
iptables -I FORWARD --destination 8.8.4.4 -j REJECT

In addition, some Google devices may also make DNS lookup requests over v6 to Google's public DNS servers, you may have to also block this traffic as well:

ip6tables -I FORWARD --destination 2001:4860:4860::8844 -j REJECT
ip6tables -I FORWARD --destination 2001:4860:4860::8888 -j REJECT

REJECT is a bit more friendly than DROP in this case, as the "fail" response will be quicker. You want the request to fail quickly in this case. You'd use DROP in a more defensive/security scenario.

If you happen to use Google's DNS resolvers at the network level for general DNS queries you can limit this block to the IP address of your Chromecast device with the -s option, allowing you to use Google's DNS resolvers for other devices still. This would require you to use static DHCP in order to create a fixed LAN IP address for any Chromecast devices you have, so you know where they are on the network.

Intercepting Google DNS traffic, rather than blocking

There are several reports that some Google based devices like Android tablets don't seem to like having the Google public DNS resolvers sinkholed. If you experience problems streaming with devices like Chromecasts, Google tablets etc. after blocking Google DNS requests, you might want to instead intercept the requests rather than block them. This can also be achieved via iptables:

iptables -t nat -A PREROUTING -s 192.168.x.x/24 -d 8.8.8.8 -p udp --dport 53 -j DNAT --to 192.168.x.x
iptables -t nat -A PREROUTING -s 192.168.x.x/24 -d 8.8.4.4 -p udp --dport 53 -j DNAT --to 192.168.x.x
  • 192.168.x.x/24 - Range of your LAN, example: 192.168.1.0/24
  • 192.168.x.x - The device that is running DNS i.e. router 192.168.1.1

This method essentially allows DNS requests to 8.8.8.8 or 8.8.4.4, but the request itself will be intercepted and actually resolved by a DNS server of the users choosing, alebit transparently. You can run the Google DNS test example if you apply this method and confirm that no AAAA records are returned, because the DNS server used was actually something else.

DNS traffic is typically UDP based, but there are circumstances where TCP is used as well, however, it is unlikely any Google DNS request will be using TCP, hence why the rules above only target UDP and should be fine for this purpose.

To implement this, you'll need to have a full root access to your router.

Enjoy your Netflix again!

Extra Q&A bit

In case you have any questions about the purpose/reasons for this workaround, here's some answers to potential questions you might have.

Q. Will I be able to stop using this workaround at some point?

A. Once your ISP provides a native IPv6 subnet to you, you can disable your IPv6 tunnel and use the IPv6 subnet delegated to you by your ISP (likely a /56 or something similar).

To clarify, Netflix is only blocking IPv6 tunnels because it cannot accurately confirm your exact country of origin and sees any usage of a IPv6 tunnel as a way of circumventing geo-restrcitions on content that is licensed to specific countries, despite this being the intention or not. In the case of Hurricane Electric, while it operates tunnels in loads of different countries, the IPv6 address space they have registered ultimately identifies as US to a lot of geo based systems concerning IPv6. Various Geo IP services may also differ on what country it believes the IPv6 space to be part of, which can be inconsistent. This problem however is now redundant as Netflix decided to just block any HE tunnel IPv6 prefix from even connecting to their streaming service, which is why you know get the VPN/proxy message.

Q. I use a VPN and I get the same error message, will this workaround work for this?

A. Using a VPN with Netflix is very tricky because Netflix actively blocks such services. You'll likely want to look at something called split tunnelling where by you have a VPN connection active, but send Netflix traffic through your WAN (non VPN gateway). This however is out of scope of the original purpose of this gist, but you should read up on split tunnelling options to avoid this problem.

Q. Will Netflix block my ISP connection?

A. They shouldn't do. When you use your ISPs connection, the IP address you connect from shouldn't be considered a proxy/VPN. There have been cases of false positives leading some residential IP addresses being flagged. If you are unlucky enough to end up in this situation you will need to alert your ISP/Netflix to resolve.

Q. How does this workaround work?

A. In short, the workaround forces Netflix traffic to use IPv4 for any requests when streaming. While you might think "why can't I just to make things use IPv4 first?" in reality, this is both against the general behaviour of IPv6 first and difficult to actually enforce, especially if you need to do this across different devices. Doing it at the router/DNS level allows you to control all variables required. This does require a bit of technical knowledge and control over your network however and might not be for everyone admittedly.

Q. Does Netflix support IPv6?

Yes and to their credit they have done for many years. The issue is not IPv6 itself, it is the fact that those who wish to have IPv6 but don't have native IPv6 from their ISP have opted to use tunnels using a protocol called 6in4 (Encapsulating IPv6 packets on specifically configured IPv4 links). However because of Netflix's stance on IPv6 tunnels being classified as "proxies", those that use them are now facing the challenge of not being able to access Netflix over IPv6 as when IPv6 connectivity is available this will be tried first.

Q. Will this workaround stop working in the future?

A. Depending on how you implemented it, it should be pretty robust, but if Netflix introduce a new domain not covered in the list above that has some form of IPv6 connectivity test which then determines proxy/VPN usage, it may have to be expanded, I have personally used this workaround since June 2016 and it hasn't let me down yet.

Q. Does this workaround allow me to bypass geo-restrictions?

A. No. It is simply designed to allow connectivity to Netflix, while having an IPv6 tunnel active. This does not allow you to obtain access to library content outside your region. This is basically the reason why this workaround had to be implemented in the first place for us legit IPv6 tunnel users. This is why we can't have nice things!

Q. Will Netflix unblock IPv6 tunnels in the future?

A. Probably not, they were likely pressured into it in the first place by media companies and license holders. Once the secret was out about how IPv6 tunnels were providing access to what should have been geo-restricted content, action was swiftly taken. To be honest, Netflix probably doesn't care that much about this (as long as your paying your monthly subscription!). It was more likely being lent on by higher powers, hence the rather bold straight blocking approach.

Its also worth noting that IPv6 tunnel services are intended as transitional mechanisms and shouldn't be a permanent solution for IPv6. Hassle your ISP to sort out their IPv6 (or lack of!). While you wait you can also read the hilarious IPv6 excuses Twitter account for some nerdy IPv6 banter: https://twitter.com/ipv6excuses?lang=en.

Q. Do any proxy/VPN services still work with Netflix?

A. There are likely some services that might still work, but they are likely operating on borrowed time, as Netflix will be monitoring and updating their blocklists regularly. Most of the well known proxy/VPN services are blocked. More recently VPN providers are trying to get clever by routing their traffic through what look like residential IPs to look less obvious to bypass blocks, but again Netflix is always watching and will ban these IPs too eventually.

Q. I'm not able to install additional software like bind, are there any alternatives?

A. Yes. There is a excellent lightweight DNS proxy specifically for Netflix IPv6 tunnel purposes. Written in Python, it should work on most Unix/Linux systems with little setup required.

https://github.com/cdhowie/netflix-no-ipv6-dns-proxy

The same concept applies, you need to have your primary DNS resolver forward requests to this proxy, be aware this DNS proxy is specifically for Netflix domain usage and won't strip the AAAA records of other domains if sent to it. You can edit the source code to expand it if you wanted to though.

Q. Who is "big media"?

A. My pet name for the media rights corporations who are probably in the illuminati stuck in the past and clearly don't understand technology.

@leshniak
Copy link

leshniak commented Feb 8, 2020

According to RFC:
ip route add prohibit 100::1/128

then in dnsmasq conf:

server=/netflix.com/#
address=/netflix.com/100::1
server=/netflix.net/#
address=/netflix.net/100::1
server=/nflxext.com/#
address=/nflxext.com/100::1
server=/nflximg.net/#
address=/nflximg.net/100::1
server=/nflxvideo.net/#
address=/nflxvideo.net/100::1
server=/nflxso.net/#
address=/nflxso.net/100::1

IPv4 fast fallback should do the rest of the trick.

@PaTTeeL
Copy link

PaTTeeL commented Mar 12, 2020

@leshniak I've read the RFC6666
Per this document, IANA has recorded the allocation of the IPv6 address prefix 0100::/64 as a Discard-Only Prefix in the "Internet Protocol Version 6 Address Space" and added the prefix to the "IANA IPv6 Special Purpose Address Registry" [IANA-IPV6REG].
So shall I use 100:: instead ?

@fogti
Copy link

fogti commented Apr 25, 2020

BIND9 rpz zone generator to avoid "filter-aaaa-on-v4", which doesn't work if other AAAA records should be resolved. (e.g. yet another work-around)...
https://gist.github.com/zserik/364c65051106546ae2b6f52b0b0bc282

@Kline-
Copy link

Kline- commented Apr 25, 2020

@zserik
Am I missing something? I still have filter-aaaa-on-v4 working fine and only blocking Netflix. I had to make some minor config adjustments after updating BIND today since filter-aaaa moved to a plugin instead.

dig @10.0.1.1 aaaa netflix.com

; <<>> DiG 9.10.3-P4-Debian <<>> @10.0.1.1 aaaa netflix.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12418
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;netflix.com.                   IN      AAAA

;; Query time: 4 msec
;; SERVER: 10.0.1.1#53(10.0.1.1)
;; WHEN: Sat Apr 25 17:35:58 CDT 2020
;; MSG SIZE  rcvd: 40

dig @10.0.1.1 aaaa google.com

; <<>> DiG 9.10.3-P4-Debian <<>> @10.0.1.1 aaaa google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24290
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com.                    IN      AAAA

;; ANSWER SECTION:
google.com.             246     IN      AAAA    2607:f8b0:4009:804::200e

;; Query time: 40 msec
;; SERVER: 10.0.1.1#53(10.0.1.1)
;; WHEN: Sat Apr 25 17:34:52 CDT 2020
;; MSG SIZE  rcvd: 67

This was the change to remove filter-aaaa-on-v4 from the global options block and instead place it within the appropriate view:

view "ipv4only" {
    plugin query "filter-aaaa.so" { filter-aaaa-on-v4 yes; };
    match-destinations { 10.255.255.254/32; };
};

All of the Netflix domains are stub zones like the following:

zone "netflix.com" {
        type forward;
        forward only;
        forwarders { 10.255.255.254 port 5353; };
};

@fogti
Copy link

fogti commented Apr 25, 2020

@Kline- nope, not missing anything, just what I came up with, alternatively...

@Kline-
Copy link

Kline- commented Apr 25, 2020

@zserik Ok, thanks! Your first reply was not long after I updated BIND today, breaking this and my RPZ setup. I just finished getting it all sorted back and wasn't sure if I overlooked something in the process!

@leshniak
Copy link

For people using dnscrypt-proxy: I've made a PR that allows to (in short) prefer IPv4 connection instead of IPv6, leaving IPv6-only sites still accessible.

https://github.com/DNSCrypt/dnscrypt-proxy/pull/1495/files

I don't know if it's gonna be merged, but you can easily compile your own binary.

@nyetwurk
Copy link

nyetwurk commented Feb 8, 2021

I had to block 2600:1f14:62a:de80::/61 recently. It is getting harder and harder to keep netflix running

@nyetwurk
Copy link

The whole point is to continue to use ipv6 tunnels.

@jamesmacwhite
Copy link
Author

@0neday Ha ha sure. Let's just continue the disable IPv6 myth to fix the problem...

Yes the original point of this was to allow an IPv6 tunnel to work with Netflix, disabling the tunnel would work of course but kind of negates having one to begin with. Chances are you want to use it right?!

@jamesmacwhite
Copy link
Author

@0neday Thanks for the follow up and further information on your use case. Sorry if my initial response seemed a bit snarky. It is just the disable IPv6 myth doesn't need any more fuel to the already massive fire it has.

To be honest you are right, we should be encouraging IPv6 usage. Unfortunately, this scenario required some form of "hack" no matter what. As it's either that, or disable your IPv6 tunnel entirely which isn't really a solution (Netflix basically says that's their recommended solution though). This however isn't really useful when you likely have an IPv6 tunnel because you want.... IPv6!

DNS based mitigation was seen as the easiest way to allow an IPv6 tunnel to still be active with Netflix and also being reasonably simple to implement. Granted not everyone likes to SSH into their router etc, but these days with packages like dnsmasq being quite common in routers, chances are you can probably configure it on a lot of home type routers as per the original examples, possibly without custom firmware like OpenWrt, so the barrier to entry is about as low as it can be.

Ultimately, yes this will "disable" IPv6 for any Netflix domains, but better than taking out the whole stack entirely I guess. Equally it should be workable across most devices at the network level, rather than having to reconfigure or mess with individual clients. Granted there are exceptions to this i.e. Chromecast and other Google devices as discovered, so I totally acknowledge it isn't perfect. Technically 6in4 tunnels are also temporary solutions too. ISPs, providers and even vendors are still lagging on IPv6, so that doesn't help the problem overall. If you had native IPv6, all of this goes away and you wouldn't need an 6in4 tunnel and none of us would be talking on this gist.

Sounds like you might have a bit of different case or setup, which if you have got a solution, great! At the end of day I wrote this partly in anger at Netflix but also for other IPv6 enthusiasts, who wouldn't take "Just disable IPv6 or stop using an IPv6 tunnel" as a valid answer, because it shouldn't be! IPv6 is the future of the internet, embrace it, it's coming!

@lykinsbd
Copy link

As Netflix is changing some of their caching/video infrastructure, I’ve had to add Amazon AWS to this list as well. This is less than ideal as it impacts many other services, but this is the easiest way I’ve found to get it working again.

server=/amazonaws.com/#
address=/amazonaws.com/::

I will note that this appears to only be for their most popular content, this new system. Which took me a while to figure out why some shows and movies weren’t there anymore, but other content was just fine.

@brianjmurrell
Copy link

BIND9 rpz zone generator to avoid "filter-aaaa-on-v4", which doesn't work if other AAAA records should be resolved. (e.g. yet another work-around)...
https://gist.github.com/zserik/364c65051106546ae2b6f52b0b0bc282

  1. Does not exist.

@wbob
Copy link

wbob commented Oct 3, 2021

cannot pinpoint the day it started to work. It was within 2021 that I could stop using a workaround and use the tunnelbroker.net ipv6 route for netflix traffic. I'm unsure to which geo region I count towards. Reading the comments to this date nobody reported similar.

@brianjmurrell
Copy link

The problem I think are the geo-ip databases. AFAIU, HE does populate geographical information with the [r]whois record for the assigned subnet. So the information is out there to properly geo-locate HE's tunnelbroker subnets. Nobody is going to the effort to actually do it though.

For example:
https://www.maxmind.com/en/geoip-demo - fail
https://tools.keycdn.com/geo - fail
https://www.whtop.com/tools.ip/ - success!
https://ipgeolocation.io/ - fail
https://www.home.neustar/resources/tools/ip-geolocation-lookup-tool - fail
https://www.ip2location.com/demo - success!
https://www.ip-lookup.org/location - fail

Do we have any idea how Netflix is getting their geo-ip data so that we can urge them to go to the effort to get it right?

@jamesmacwhite
Copy link
Author

@brianjmurrell It's a good question, although unless the situation changed Netflix ended up blocking any HE IPv6 tunnel prefix in the end, so I'm not sure it would help now. Depending on how regularly or if new pops are added, there might be a couple that get through, until Netflix update their blocklist.

It's been a long time but if I remember correctly the original problem was using a HE tunnel meant you got served different geo content in contradiction to your account settings, i.e. US when in UK. this was because of a lot of the HE IPv6 space just being branded as US origin by whatever geo IP data was in use, given the IP allocations being from ARIN. Then Netflix went up a gear and straight blocked HE tunnels entirely which as far as I know is still the case. I assume Netflix may have also adjusted how it determines what content to show, given they could just look at the Country of Residence on your Netflix account and know there's a difference, but geo IP data can be very hit and miss as you've pointed out from the varying databases entries.

So unless they've not blocked HE tunnel ranges anymore, I don't think geo IP data is going to help. They've essentially banded HE tunnels as proxy servers and treat them in a similar way to VPNs.

@durd
Copy link

durd commented Oct 6, 2021

@brianjmurrell Thanks for the list of geo-ip databases, my HE tunnel was marked at Maxmind as coming from Russia even though the tunnel is from Sweden. After several attempts I managed to update my /64 to Sweden. But that was some time after I abandoned HE IPv6. I've been planning on giving it a try again soon though.

Anyway, do not trust that the geo-ip in the whois for your IP-net is the one that is propagated.
https://support.maxmind.com/geoip-data-correction-request/

But yeah, it all depends on how Netflix looks up the geo-ip information, themselves somehow or through a service. Unless as @jamesmacwhite mentioned, all HE IPv6-space is blocked.

Edit:
Only ip-lookup.org showed my IPv6-net as from Russia now. IPGeolocation and Neustar seem to adhere to whois and showed me as from California, USA. The rest told me I was "correctly" from Sweden.

@jamesmacwhite
Copy link
Author

@durd I believe that's still the case. Netflix's own help article even directly references it

image

I've heard of some HE POP locations managing to get through in the past, so it's not 100% fool proof, but I'd imagine Netflix, like their VPN block game, will update their blocklists.

@wbob
Copy link

wbob commented Oct 10, 2021

cannot pinpoint the day it started to work. It was within 2021 that I could stop using a workaround and use the tunnelbroker.net ipv6 route for netflix traffic. I'm unsure to which geo region I count towards. Reading the comments to this date nobody reported similar.

adding to this: on the ipv6 tunnelbroker route (germany pop) there's netflix produced shows/movies only. On the ipv4 isp route it's all country content. For their own content, other studious country licensing doesn't apply, a full block isn't necessary.

@mywifiext-setup
Copy link

An IPv6 address is mainly 128 bits in length. It also consists of eight, 16-bit fields. To use Netflix you need fast internet and you can easily use Netgear extender. Just login extender with 192.168.1.250 IP address.

@jtkohl
Copy link

jtkohl commented Mar 6, 2022

Note for those using dnsmasq 2.86 or later, the behavior of address=/nflximg.net/100::1 changed. The manual page didn't get updated until slightly later:
man page update link. The man page update clarifies that for this use case, you only need address to replace AAAA records; A and other records will be left using normal upstream servers.

If you use address and server for the same domain in dnsmasq 2.86, it'll crash. There's a fix in the sources post-2.86. crash fix

@jtkohl
Copy link

jtkohl commented Mar 6, 2022

And for those using newer versions of bind, the config file syntax has changed. If you have the filter module built, you now load it with something like this in named.conf:

plugin query "/usr/lib/bind/filter-aaaa.so" {
  filter-aaaa-on-v4 yes;
  filter-aaaa-on-v6 yes;
};

@mixrouter01
Copy link

To begin, set up Orbilogin.com or the default 192.168.1.1 IP gateway. Orbilogin Setup will be installed in your default web browser, and you will be routed to the orbilogin admin portal screen. To log in, you'll need a username and password. If you are utilizing the new router, you will be sent to the orbilogin page, where the default information for the username and password will be Admin. To get to the orbilogin setup page, type orbilogin.com, orbilogin.net, or the IP address 192.168.1.1 into your browser. This will allow you to use the network's existing router settings as well as other critical functions.

Orbi Satellite Not Connecting

@adog1314
Copy link

adog1314 commented Mar 21, 2022

For anyone using AdGuard Home for DNS, I used https://github.com/AdguardTeam/AdGuardHome/wiki/Hosts-Blocklists#dnstype

Place in Filters > Custom filtering rules

||netflix.com^$dnstype=AAAA
||nflxext.com^$dnstype=AAAA
||nflximg.net^$dnstype=AAAA
||nflximg.com^$dnstype=AAAA
||nflxsearch.net^$dnstype=AAAA
||nflxso.net^$dnstype=AAAA
||nflxvideo.net^$dnstype=AAAA

For Pi Hole users you might be able to do somthing similar with https://docs.pi-hole.net/regex/pi-hole/

@wteiken
Copy link

wteiken commented Mar 29, 2022

I recently removed all the IP range blocks while changing the firewall (was using Method 3). It seems I am streaming Netflix through a Hurricane v6 tunnel for a few days now (I see the traffic on sit1). Is this a fluke or does anybody else see the same?

@jamesmacwhite
Copy link
Author

@wteiken I don't think Netflix's position on IPv6 tunnels has changed, but it has been noticed that some POP locations don't seem to be blocked. It's possible some are allowed, this could be for specific regions or territories.

@tukangintip
Copy link

tukangintip commented Aug 12, 2022

adding blocked ipv6 for disney+, when using HE, disney+ will be using HE tunnel endpoint for as region,

server=/disneyplus.com/#
address=/disneyplus.com/::
server=/bamgrid.com/#
address=/bamgrid.com/::
server=/bam.nr-data.net/#
address=/bam.nr-data.net/::
server=/cdn.registerdisney.go.com/#
address=/cdn.registerdisney.go.com/::
server=/cws.conviva.com/#
address=/cws.conviva.com/::
server=/d9.flashtalking.com/#
address=/d9.flashtalking.com/::
server=/disney-portal.my.onetrust.com/#
address=/disney-portal.my.onetrust.com/::
server=/disneyplus.bn5x.net/::#
address=/disneyplus.bn5x.net/::
server=/disneyplus.com.ssl.sc.omtrdc.net/#
address=/disneyplus.com.ssl.sc.omtrdc.net/::
server=/js-agent.newrelic.com/#
address=/js-agent.newrelic.com/::
server=/disney-plus.net/#
address=/disney-plus.net/::
server=/dssott.com/#
address=/dssott.com/::
server=/adobedtm.com/#
address=/adobedtm.com/::

@devicenull
Copy link

FYI I have noticed that the XBOX one netflix app apparently ignores your DNS server configs, and will hit 8.8.8.8 directly. I was able to correct this with some DNAT rules redirecting it back to my local unbound server. This was causing some intermittent VPN detections for me.

@awalon
Copy link

awalon commented Oct 3, 2023

For unbound pattern is:

local-zone: "<domain>" typetransparent
local-data: "<domain> IN AAAA ::"

"typetransparent" preserves "A" records from upstream server as config overwrite is record type specific.

Ex.:

local-zone: "netflix.com" typetransparent
local-data: "netflix.com IN AAAA ::"

local-zone: "disneyplus.com" typetransparent
local-data: "disneyplus.com IN AAAA ::"

For OpnSense this could be added. with custom config file:
/usr/local/etc/unbound.opnsense.d/custom_ipv6_filter_disney.conf

Hint: If service isn't starting add "server:" statement as fist line (only once per file):
Ex.:

server:

local-zone: "netflix.com" typetransparent
local-data: "netflix.com IN AAAA ::"

local-zone: "disneyplus.com" typetransparent
local-data: "disneyplus.com IN AAAA ::"

@brianjmurrell
Copy link

For unbound pattern is:

local-zone: "<domain>" typetransparent
local-data: "<domain> IN AAAA ::"

"typetransparent" preserves "A" records from upstream server as config overwrite is record type specific.

Oh, that's very nice. I wish BIND 9's RPZ implementation had an option to be transparent about an RR.

Given that it doesn't I have a script which updates the A records (since they can move around quite frequently) of zones I want to mask out AAAA lookups because of all of this shenanigans.

#!/bin/bash

set -eu

zf=/var/named/zones/rpz-$1.zone
mv $zf{,.old}
{
    head -4 $zf.old
    sed -ne '/AAAA/s/  *.*//p' $zf.old | while read z; do
        dig +short @1.1.1.1 $z | sed -n -e "1s/.*/$z      AAAA    ::/p" -e "/^[0-9\.][0-9\.]*$/s/\(.*\)/$z 60 IN A \1/p" | sort
    done
} > $zf
if ! cmp $zf{.old,}; then
    serial=$(sed -ne '1s/.* \([0-9][0-9]*\) 86400 7200 2592000 86400/\1/p' $zf)
    sed -i -e "1s/\(.*\) $serial \(86400 7200 2592000 86400\)/\1 $((serial + 1)) \2/" $zf
    diff -y $zf{.old,} || true
    rndc reload rpz-$1
fi

I run that nightly for every zone I need to apply these hacks to. Currently Disney+ and Netflix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment