Q: Has anyone enumerated the domains that the "MAX" service is using so I can add them to my filter?
I'm trying to update my DNS filter on my firewall and I've noticed that after they rebranded from "HBO MAX" to "MAX", all the domains changed. When I try to get to MAX on my laptop, I get a GeoIP based block. Like many, I fixed this problem by blocking AAAA DNS from certain domains but the domains used by "MAX" seem to have changed since the rebrand.
A user on reddit gave me the solution. There's a browser extension called IPvFoo that will show you the resources a web pages is using by IP address and thus protocol, IPv4 or IPv6. Using IPvFoo you can quickly figure out what resources should be listed in your firewall blocking list.
Thanks all
I would love if you'd give a little bit more detail . . . On a linux box, I can't stream so I can't get a list of streaming IPs to block.
Here is my list. Might be overkill but MAX now working on my subnets.
2600:9000:24f8::/48
2600:1901:0:ded2::/64
2600:9000:a60c:cc9b::/64
2600:9000:24f8::/48
2600:1901:0:ded2::/64
2600:9000:a60c:cc9b::/64
2600:9000:24f8:e200:1f:da81:ba40:93a1
2600:9000:24f8:1400:1f:da81:ba40:93a1
2600:9000:24f8:d400:1b:81f4:8200:93a1
2600:9000:a41e:d356:d341:6bf:9f6:2751
2600:9000:a710:90b8:c006:3fc7:6367:4f5f
2600:9000:a710:90b8:f690:dc03:fd45:b50a
2600:9000:a710:90b8:c006:3fc7:6367:4f5f
2600:1402:1400:37::1735:def
2600:1402:1400:37::1735:df1
2600:1405:800::6864:a8e0
I do this by name because the addresses aren't even remotely static. My program consumes this YAML file:
---
blocklist:
max:
prefixlen: 48
sitelist:
- www.max.com
- auth.max.com
- default.prd.api.max.com
- events.prd.api.max.com
- telegraph.prd.api.max.com
- play.max.com
- busy.prd.api.max.com
- default.prd.api.max.com
- default.use.prd.api.max.com
- services.brightline.tv
- cdn-media.brightline.tv
- images.cdn.prd.api.discomax.com
- busy.prd.api.discomax.com
- images.cdn.prd.api.discomax.com
- akm.prd.media.h264.io
- gcp.prd.media.h264.io
- cf.prd.media.h264.io
- beam-images.warnermediacdn.com
- lightning.warnermediacdn.com
- wmff.warnermediacdn.com
- geolocation.onetrust.com
Explanation: max as in "max:" refers to the HBOmax service. I have a program that goes through every name in sitelist and does a AAAA lookup. It cuts the answer back to a [...]/48 block and then adds those blocks to my firewall. My firewall sends an immediate TCP RST for new connections to any address in the set of /48 blocks.
More detail: My strategy is defense in depth. I maintain two tables on a PfSense firewall one is a list of external addresses to automatically block when an internal host tries to start a TCP connection. The other is a list of internal address who see a TCP RST for any connection to IPv6 TCP port 80 or 443. Between those two list and happy eyeballs, my streaming devices have no trouble consuming HBOMax. Finally, my DNS resolver doesn't do AAAA resolution for a set of domains.