My Netflix service stopped working. For years visitors commented "you have US Netflix?!" and I said "No, not that I know of."
Turns out that I did and didn't even know it! Now Netflix is blocking me, and after a long while I finally figured out that it was because of my IPv6 tunnel. The thing is though, I am in Canada, and I use the tunnel server in Toronto, also in Canada, but Netflix detects my connections as coming from the US!
They (not very helpfully) say they can't do anything about it, and I must get my service provider to "fix" it. Well of course this problem only affects traffic coming over the IPv6 tunnel. If I shut it down, then Netflix works fine over native IPv4. I obviously still want my IPv6 connectivity, and don't have any easy way that I know of to specifically block only Netflix-related traffic from resolving IPv6 addresses and using the tunnel.
So, Tunnelbroker gurus, can you "fix" the tunnel server in Toronto to actually show up as being in Canada?
Our /32 is registered as part of a US company, and that is the address space being used there. We do not have any IPv6 allocations allocated and designated as "Canada". Our /32 is used globally, as-is. If Netflix has some sort of whitelisting system in place, perhaps the ranges used there can be submitted, if such a whitelist exists, Netflix willing.
Just as an additional addendum: there's no central repository for geolocation<>IP data. Anyone telling you otherwise is trying to sell you something (possibly geolocation services). The closest thing to such is the regional registry's data of who has been allocated which blocks of IPs. At best that tells you where the business is located, but doesn't mean anything in regards to any end-user's location using that IP. We publish reasonably anonymized location data (city, region, country) in rWHOIS for all tunnel allocations and services are welcome to use that data. There was a push for a while from Google in the IETF[1] for an ISP provided location/IP map feed specification, however it looks like that proposal died as it expired over two years ago.
[1] https://tools.ietf.org/html/draft-google-self-published-geofeeds-02
Netflix seems to be blocking he.net IPv6 addresses now.. I'm a US Resident, and I sub to Netflix, and have a tunnel for v6.. Netflix will now show its Proxy/VPN Block message if you connect to Netflix via IPv6 from an HE IPv6 Block, or maybe just ones its associated with the tunnel servers. I also just saw an e-mail on NANOG mailing list about another user having the same issue.
(https://www.napshome.net/public/he/netflixerror.PNG)
Ya just started acting up for me as well. @Napsterbater if you get a response from netflix can you follow up here?
I wasn't planning on it... I know why they are blocking it, and talking to a CSR who has no clue what IPv6 even is isn't gonna help.
The person on the NONOG List contact them and they told him to tell his ISP to remove the VPN they added to his account.... So yeah... He discovered it was the IPv6 after that though.
This started happening to me this afternoon. Called Netflix support, and based on that conversation I concluded they consider Tunnelbroker a VPN/Proxy. They're not wrong, but it's still frustrating. Ironically the show I was trying to resume is a Netflix original. I wouldn't have expected that there would be licensing issues on their own content.
I supposed it's time to put more pressure on the ISP for native IPv6 now. Will probably get the same response as usual.
Quote from: broquea on June 01, 2016, 06:49:43 PM
Our /32 is registered as part of a US company, and that is the address space being used there. We do not have any IPv6 allocations allocated and designated as "Canada". Our /32 is used globally, as-is. If Netflix has some sort of whitelisting system in place, perhaps the ranges used there can be submitted, if such a whitelist exists, Netflix willing.
According to the Netflix support staff I spoke with, the proxy error was triggered simply because I was seen from Oregon on IPv4, while IPv6 showed your Washington registry information. I'd wager they've assessed your /32 as a tunneling service, and will likely blacklist your block. :'(
Add me to the list of users affected. I have sent them a few angry tweets. Sometimes social media can get a company's attention since it's content they can't control, and has a negative PR impact. I would suggest everyone affected tweet at them with a summary of the problem.
In the meantime, I'm trying to determine if there is a subnet I can block in my FORWARD chain that will kick Netflix over to IPv4, otherwise my only option is to entirely ditch IPv6 (which, of course, is not going to happen).
Here's what I came up with for a workaround.
I have an ASUS RT-N66U doing my tunnel duties. It's running DNSMasq which allows for configuration that can override the behavior for domains.
I added "server=/netflix.com/N.N.N.N" to my resolv.dnsmasq file where N.N.N.N is an IPv4 address of a BIND9 DNS host I have control over. This will cause DNSMasq to forward any lookups for netflix.com to that host.
On the BIND9 host I added "filter-aaaa-on-v4 yes;" to the options section of the configuration file. I then added "filter-aaaa { filter-aaaa-addresses; };" and created an ACL to match that included my ASUS public IP. I also had to enable recursion from my address on the host.
Net result is that when I ask for netflix.com addresses, that request is forwarded on IPv4 to the BIND9 host. When the BIND9 host sees the query on IPv4 it filters out the AAAA responses. The filter-aaaa acl statement is an effort to limit the filtering just to my host specifically.
This was a quick hack that won't likely survive a reboot of the ASUS.
yorxnet, that's surprisingly similar to the workaround that I'm developing.
I wrote a tiny DNS forwarder (https://gist.github.com/cdhowie/c38d5651f2cb150bf37cb449d147eb3f) using Twisted Names that will return an empty result for all AAAA queries for netflix.com or a subdomain thereof, and will forward all other requests to my dnsmasq server. I have tested that the forwarder does what I want using dig, but haven't yet set it up on the network and tested with Netflix. (About to help with the kid's bedtime routine, standby.)
I have tested the server I linked to in my last post, fixed a few bugs, and we are now in business -- I still have IPv6 through HE and I can watch Netflix again. Hopefully this will be useful to someone else.
This happened to me as well, calling CS was pointless.
Does anyone have a #tag for twitter that we can voice our opinion on?
- P.
For those of you who are running BSD routers/firewalls, you can null route netflix's ipv6 prefixes. Null routing will send an icmpv6 message back to the device telling them that the host is "unreachable" and the device can then fail over to using ipv4 (assuming you have a dual stack network running ).
I ran the following commands on my firewall:
route add -net 2620:108:700f:: ::1 -reject
route add -net 2406:da00:ff00:: ::1 -reject
And to persist at boot I added the following to the end my /etc/hostname.gif0 file:
!route add -net 2620:108:700f:: ::1 -reject
!route add -net 2406:da00:ff00:: ::1 -reject
After doing this, I can playback netflix just fine on all of my devices now.
Hope this helps someone
Quote from: obsessive on June 03, 2016, 07:26:41 AMI ran the following commands on my firewall:
route add -net 2620:108:700f:: ::1 -reject
route add -net 2406:da00:ff00:: ::1 -reject
Just beware that these ranges belong to Amazon Web Services, so you're v6-blocking a whole lot more than Netflix. That may be okay with you; this is more for others who might consider doing the same thing.
Yeah I noticed that.. until I added the last range, streaming would work sporadically. I might have to filter out the AAAA records from the DNS servers to be on the safe side
[edit]
But then again.. I didn't think AWS supported ipv6.. so I guess until they do, i'm kicking the can down the road a bit
Quote from: cdhowie on June 02, 2016, 02:54:03 PM
Add me to the list of users affected. I have sent them a few angry tweets. Sometimes social media can get a company's attention since it's content they can't control, and has a negative PR impact. I would suggest everyone affected tweet at them with a summary of the problem.
In the meantime, I'm trying to determine if there is a subnet I can block in my FORWARD chain that will kick Netflix over to IPv4, otherwise my only option is to entirely ditch IPv6 (which, of course, is not going to happen).
Yeah... I just got bit by this yesterday. I'm using the HE server in LAX. But my Centurylink DSL I think shows up as some place else in the SW. <sigh>
Anyway.. I did tweet them, but so far no reply... not overly shocked on it.
I will drop Netflix before I do v6.
I've been trying to figure out how to force v4 DNS for *.netflix.com on OpenWRT on my router but not having much luck (using OpenDNS revolvers). If anyone can point me in the right direction that would be most appreciated.
Quote from: sabersix on June 03, 2016, 07:54:54 AMI've been trying to figure out how to force v4 DNS for *.netflix.com on OpenWRT on my router but not having much luck (using OpenDNS revolvers). If anyone can point me in the right direction that would be most appreciated.
I wrote this (https://gist.github.com/cdhowie/c38d5651f2cb150bf37cb449d147eb3f) yesterday and it solved my problem. It's a DNS proxy that returns empty responses for AAAA requests for *.netflix.com and passes everything else onto another server. If you cannot install it on your router, you could install it on a different Linux machine on your network and have it proxy DNS requests to your router, assuming you can change the DNS servers advertised by your DHCP server.
Quote from: cdhowie on June 03, 2016, 07:57:13 AM
I wrote this (https://gist.github.com/cdhowie/c38d5651f2cb150bf37cb449d147eb3f) yesterday and it solved my problem. It's a DNS proxy that returns empty responses for AAAA requests for *.netflix.com and passes everything else onto another server. If you cannot install it on your router, you could install it on a different Linux machine on your network and have it proxy DNS requests to your router, assuming you can change the DNS servers advertised by your DHCP server.
Sweet. Thanks. Installing a Ubuntu VM now to give it a shot.
Thanks
Just posting a follow up to your DNS proxy. Works like a charm! Took a bit to get my DHCPv6 stuff working right to clients to use the proxy. Once that was figured out.. Windows clients worked like a charm.
Mac... not so much. I had to put in an option into DHCPv4 setup to over ride the IP that was going out on the LAN interface and use the v4 address of the proxy VM I setup. Once the Macs rebooted.. they got the v4 of the proxy and v6 of the proxy and Netflix worked on them. Not overly concerning, but was more for my learning.
AppleTV only allows for v4 config, but had the v6 proxy addy. But still didn't work. Manually configured it to use v4 of the proxy and it started to work.
My guess is the iPads and what not will work now as well with reboots/renews... but .. ooo.. shiney... netflix on Apple tv..
thanks again for the code/proxy you wrote.
I just noticed this today as well >:(
I'm in the SF Bay Area and go through Fremont.
I was on the phone with Netflix for about almost two hours. The first CSR that I was talking to has absolutely zero knowledge of networking. After over an hour of waiting on hold, trying to educate the CSR about IPv6, and going through their insane resolution flowchart because it was easier than arguing with them, I finally got a supervisor who was just as unhelpful. She continued to insist that there is no problem with their systems and that if I was still getting this error after rebooting my computer that I should contact my ISP because it must be the case that my ISP is reporting to Netflix that I'm connecting through an illegal proxy server. I tried to inform her about how completely ridiculous that statement was, about how ISPs don't report that information and how there is no global geoip database and how multiple customers started reporting these issues in the past 48 hours, but she refused to budge.
I gave up. So this is me "contacting my ISP". Can someone at HE please go beat Neflix with a Do-Better-Stick?
Quote from: jeremyhu on June 03, 2016, 09:41:52 PM
I gave up. So this is me "contacting my ISP". Can someone at HE please go beat Neflix with a Do-Better-Stick?
And a clue bat. ;)
I called them too before putting in the DNS proxy thing and they kept pointing at my ISP. I told them that was ridiculous as if it was my ISP, they would get crushed with calls as it's an eyeball network.
They seem to be acting just like Team Viewer. "We have no issues, we blame <everything but us>"
I'm also affected by this block, althogh my endpoint is in Paris, so not much would have changed over ipv4 right no( tunnel server at Paris).
It is sad to force netflix to work over ipv4 for the time being until my isp deploys ipv6 natively. But is seems that Hollywood and media producers still don't get what global entertaiment consumers really want...
I started getting blocked, too, on Jun 2. My ISP is Verizon FIOS, so will be a long time before they get IPv6. I've been running a HE tunnel for years and it has worked perfectly. Have a CISCO 1921 router but been a long time since I waded through the IOS to set up the router. If anyone figures out how to tell CISCO IOS to only provide IPv4 on the interface used by the Apple TV ver 4 I can connect the two Apple TV's to two ethernet interfaces on the CISCO 1921 and get Netflix back without having to drop the IPv6 Tunnel.
I tried setting DNS on the Apple TV ver 4 to Google's DNS server, 8.8.8.8 but for some reason the Apple TV still defaults to IPv6 and Netflix reports back:
Streaming Error You seem to be using an unblocker or proxy. Please turn off any of these services and try again. For more help, visit netflix.com/proxy.
Just because you set a DNS server to an IPv4 address, doesn't mean it won't return AAAA records.
If it returns AAAA records, and you have IPv6 connectivity, your device will try to use IPv6.
There are reddit threads with people listing IPv6 ranges to drop routing to, that force Netflix to fail over to IPv4 when unreachable.
If you try that, then IPv6 should continue working everywhere else but Netflix and anything else in those ranges.
Or you can try the DNS scrubbing proxy someone in here already made.
Agree that normally AAAA records are returned from IPv4 DNS requests, but several postings on the internet indicated Google was only returning IPv4 addresses on their 8.8.8.8 DNS servers. Obviously this is wrong info.
Shouldn't blocking IPv6 traffic from my CISCO 1921 router to the Apple TV by instructing IOS to not provide IPv6 on the router's interface where the Apple TV is connected solve the problem, too?
If IPv6 traffic is blocked on just that interface, then the Apple TV would think IPv6 was not available and only make IPv4 requests. That seems pretty straightforward to me. Maybe I'm missing something.
I was hoping someone had tried this approach. I searched the web and found other approaches but not this one. I'll look into the reddit threads for dropping IPv6 ranges. My understanding is that Netflix is hosted at AWS so dropping routing to IP addresses would be blocking more than just Netflix.
@derby
that's pretty much the approach I'm using. I setup an IPv4 only guest wifi SSID on my AP. Netflix is working fine on my ATV
I found a work around until Netflix figures out a way to not penalize the few of us that are using IPv6 tunnels until our ISP catches up with their onerous blocking... (I'm not holding my breath waiting for Verizon FIOS to support IPv6)
I set up an Ubiquiti UniFi AP-AC in "guest" mode. This Level 2 access point provides IPv4 connectivity to the router, but does not provision the clients with IPv6 addresses in guest mode. So the Apple TV is now an authorized "guest" for 365 days before having to authorize again to the UniFi Access Point and Netflix now streams to the Apple TV.
Thanks for this code cdhowie! I run OpenBSD 5.8 on my router. I was able to get this going by installing the devel/py-twisted port on my machine and then running this code after configuration. I'll generate up an OpenBSD rcctl script for people who are interested.
-- Chris
I'm also affected (with 2 tunnels in Frankfurt, one running at home and one at my gf's home). Some weeks ago I talked to netflix and they said I'll should talk to my ISP that I'll get a new IP. Well, yeah >:(
#!/bin/sh
echo 'Clearing all rules'
ip6tables -F
ip6tables -X
echo 'Creating tables'
echo ' NetflixBlacklist'
ip6tables -N NetflixBlacklist
echo ' '
echo 'NetflixBlacklist (Netflix frowns on IPv6 tunnelbrokers)'
echo ' 2a00:86c0::/32 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0::/32 -j DROP
echo ' 2a00:86c0::/32 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0::/32 -j REJECT --reject-with icmp6-addr-unreachable
echo ' 2620:10C:7000::/44 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2620:10C:7000::/44 -j DROP
echo ' 2620:10C:7000::/44 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2620:10C:7000::/44 -j REJECT --reject-with icmp6-addr-unreachable
echo ' 2a00:86c0:d0b0::/48 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0:d0b0::/48 -j DROP
echo ' 2a00:86c0:d0b0::/48 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0:d0b0::/48 -j REJECT --reject-with icmp6-addr-unreachable
echo ' 2a00:86c0:d0b1::/48 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0:d0b1::/48 -j DROP
echo ' 2a00:86c0:d0b1::/48 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0:d0b1::/48 -j REJECT --reject-with icmp6-addr-unreachable
echo ' 2607:FB10::/32 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2607:FB10::/32 -j DROP
echo ' 2607:FB10::/32 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2607:FB10::/32 -j REJECT --reject-with icmp6-addr-unreachable
echo ' 2a00:86c0:116::/48 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0:116::/48 -j DROP
echo ' 2a00:86c0:116::/48 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0:116::/48 -j REJECT --reject-with icmp6-addr-unreachable
echo ' 2a00:86c0:117::/48 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0:117::/48 -j DROP
echo ' 2a00:86c0:117::/48 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0:117::/48 -j REJECT --reject-with icmp6-addr-unreachable
echo ' 2a00:86c0:118::/48 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0:118::/48 -j DROP
echo ' 2a00:86c0:118::/48 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0:118::/48 -j REJECT --reject-with icmp6-addr-unreachable
echo ' 2a00:86c0:119::/48 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0:119::/48 -j DROP
echo ' 2a00:86c0:119::/48 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0:119::/48 -j REJECT --reject-with icmp6-addr-unreachable
echo ' 2a00:86c0:120::/48 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0:120::/48 -j DROP
echo ' 2a00:86c0:120::/48 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0:120::/48 -j REJECT --reject-with icmp6-addr-unreachable
echo ' 2a00:86c0:121::/48 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0:121::/48 -j DROP
echo ' 2a00:86c0:121::/48 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0:121::/48 -j REJECT --reject-with icmp6-addr-unreachable
echo ' 2a00:86c0:1018::/48 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0:1018::/48 -j DROP
echo ' 2a00:86c0:1018::/48 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0:1018::/48 -j REJECT --reject-with icmp6-addr-unreachable
echo ' 2a00:86c0:126::/48 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0:126::/48 -j DROP
echo ' 2a00:86c0:126::/48 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0:126::/48 -j REJECT --reject-with icmp6-addr-unreachable
echo ' 2a00:86c0:127::/48 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0:127::/48 -j DROP
echo ' 2a00:86c0:127::/48 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0:127::/48 -j REJECT --reject-with icmp6-addr-unreachable
echo ' 2a00:86c0:1029::/48 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0:1029::/48 -j DROP
echo ' 2a00:86c0:1029::/48 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0:1029::/48 -j REJECT --reject-with icmp6-addr-unreachable
echo ' 2a00:86c0:1028::/48 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0:1028::/48 -j DROP
echo ' 2a00:86c0:1028::/48 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0:1028::/48 -j REJECT --reject-with icmp6-addr-unreachable
echo ' 2406:da00:ff00::/96 (src) -> drop [AWS owned, associated with Netflix]'
ip6tables -A NetflixBlacklist -i sixbone -s 2406:da00:ff00::/96 -j DROP
echo ' 2406:da00:ff00::/96 (dst) -> reject [AWS owned, associated with Netflix]'
ip6tables -A NetflixBlacklist -o sixbone -d 2406:da00:ff00::/96 -j REJECT --reject-with icmp6-addr-unreachable
echo ' '
echo 'FORWARD table (default: ACCEPT)'
echo ' check NetflixBlacklist'
ip6tables -A FORWARD -j NetflixBlacklist
I didn't have this problem until a couple days ago. I'm unhappy with the change. I have a box that forwards traffic to and from the Internet (masquerading for IPv4, and tunnel broker for IPv6). I added this bit of code to my IPv6 firewall script. NetflixBlacklist is a chain that I created in the filter table, and I added a rule in the FORWARD chain to send all packets to that table. FORWARD defaults to accept. sixbone is the name of the ipv6/ip link that connects to HE's tunnel. This is a partial view of my firewall script, as I block other ports as well.
So far, this seems to work for me. Hopefully this bit of code can save you some time and grief. Shame on Netflix for blocking tunnel broker.
For those feeling a bit adventurous.. I have created a dns-proxy (golang) that will allow you to reject AAAA netflix replies https://github.com/hasanihunter/dns-filter
A combination of Netflix blocking HE.net and now their price hike for HD video, I have cancelled my Netflix account. When issue with tunnelbroker.net is resolved we'll see, might subscribe again.
I guess if I black hole all IPv6 prefixes for Netflix originating from AS2906 (Netflix) and send an ICMP unreachable, that should do it
http://bgp.he.net/AS2906#_prefixes6
So, since I'm just running a linksys wireless router with Tomato on it I haven't been able to find a way to do anything listed in this thread here. Is there any chance that an iptable rule could be written to force netflix to use IPv4? If so, is there any one here who could write one? I know nothing of iptables and my research online turned up nothing conclusive.
I just ran into this after trying Netflix on my Apple TV for the first time.
The workaround I am now using is to simply block the Apple TV from having IPv6 functionality. No big deal as the only other use it really has is for AirPlay. I couldn't see how to do this on the Apple TV itself so instead I blocked it on the router.
In my case this is an EdgeRouter but I'd expect this syntax to work with VyOS etc too.
> edit firewall ipv6-name localLANipv6 rule 100]
rule 100 {
action drop
description "Block Apple TV from IPv6 so Netflix works"
protocol all
source {
mac-address xx:xx:xx:xx:xx:xx
}
}
I've noticed today that Netflix seems to be working again without any workarounds. Any one else seeing it working now?
Yup - seems to be working again for me too (based in the UK, Netflix showing UK content).
Just turned off my Netflix AAAA DNS filter, and it's working fine! (For now...)
Yep, working here again with Frankfurt tunnels :)
As of today, my HE tunnel (Chicago endpoint) is being blocked by Netflix again. :(
Same for me with endpoint Warsaw. Netflix is blocked again.
Same sh*t, different endpoint: Berlin.
Also Stockholm endpoint is disabled, so I had to block requests to the Netflix IP addresses (taken from Reddit):
2a01:578:3::/48
2406:da00:ff00::/48
2600:1407:19::/48
2607:f8b0:4001::/48
2620:108:700f::/48
I don't understand the reasoning for blocking, because Netflix clearly have some kind of geoip system in place. I have had the same content on IPV6 and IPV4. It was more than a year ago or so, when there were occasional glitches and I was suddenly seeing content from US servers on IPV6. That was very slow and annoying. Luckily it was fixed and has worked fine ever since until the total blocking of the tunnel. It is a shame.
Yup - looks like the Toronto endpoint is hit as well. Oddly enough, I never noticed a blockage in July/August...
I already had a bind9 server, so setting up dnsmasq was just not appealing. After some trial and error, I think I got something that works.
Create an IP alias on an adapter in a subnet that you aren't going to use. ifconfig eth0:0 192.168.254.1/24 (You might be able to use an alias on the loopback device)
In the options section, be sure it is "listen-on { any; };" or has the IP address in the list. I created a new view for Netflix:
view "nf-fix" {
match-destinations { 192.168.254.1; };
recursion yes;
dnssec-enable no;
filter-aaaa-on-v4 yes;
};
And then in my view that my clients use for resolution I added:
zone "netflix.com" {
type forward;
forwarders { 192.168.2.1; };
forward only;
};
This would be much easier if you could just specify filter-aaaa-on-v4 in a zone config. Basically, we are setting up a virtual bind instance to only handle forwards for Netflix and then we send our client requests for Netflix to it which strips off the AAAA records. Nice thing is that you can just add zone name for any other zones that are going to misbhave like Netflix. I've noticed that sometimes dig will cause bind to barf, but "host netflix.com" always seems to work just fine. I'm not where I can actually test Netflix at the moment, but I'll follow up if I run into some major issues.
An example of the error is:
named[4536]: DNS format error from 192.168.2.1#53 resolving www.latency.prodaa.netflix.com/ANY for client 192.168.21.10#38097: Name . (NS) not subdomain of zone netflix.com -- invalid response
named[4536]: error (FORMERR) resolving 'www.latency.prodaa.netflix.com/ANY/IN': 192.168.2.1#53
I hope it helps someone.
OK, after getting home, the computer worked fine, but the Android phone didn't. Turns out that even after setting up radvd to send RDNSS and DNSSL info, Android still insists on using their name servers for IPv4 and IPv6 bypassing the work done on bind. So iptables to the rescue....
# If IPv6 DNS queries are not destined for our DNS server, redirect them to it
ip6tables -t nat -A PREROUTING -p udp --dport 53 -s 2001:470:wwww:xxxx::/64 ! -d 2001:470:wwww:xxxx::1 -j DNAT --to-destination 2001:470:wwww:xxxx::1
ip6tables -t nat -A PREROUTING -p tcp --dport 53 -s 2001:470:wwww:xxxx::/64 ! -d 2001:470:wwww:xxxx::1 -j DNAT --to-destination 2001:470:wwww:xxxx::1
# Protect packets already destined for our ipv4 DNS server by accepting them
iptables -t nat -A PREROUTING -p udp --dport 53 -d 192.168.yyy.1 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 53 -d 192.168.yyy.1 -j ACCEPT
# If IPv4 queries are not destined for our DNS server, redirect them to it
iptables -t nat -A PREROUTING -p udp --dport 53 -s 192.168.yyy.0/24 ! -d 192.168.yyy.1 -j DNAT --to-destination 192.168.yyy.1
iptables -t nat -A PREROUTING -p tcp --dport 53 -s 192.168.yyy.0/24 ! -d 192.168.yyy.1 -j DNAT --to-destination 192.168.yyy.1
This allows the Android phone to use Netflix without getting the tunnel error and without having to hack the phone's DNS. There is a delay to start watching videos as it tries really hard to get an AAAA record through both IPv6 and IPv4 and by requesting AAAA records specifically before trying A/ANY records. At least it is watchable and I don't have to sacrifice any other IPv6 sites.
Yay, the Fritzbox 7390 beta firmware supports IPv6 routes now, so I could nullroute the netflix prefixes.
Using pfSense I was able to get Netflix to work by blocking 2620:108:700f::/48 on the LAN interface, TCP port 443 only. If another range of addresses comes up I'll update this post.
Update: Had to block 2406:da00:ff00::/48 as well.
I had a much easier workaround when using Tunnel Broker.
In /etc/hosts (and/or the Windows equivalent)
::1 www.netflix.com
52.86.14.136 www.netflix.com
Replace the IP with some random one from a "host www.netflix.com".
If the site breaks later, update the IP.
This is obviously impossible to do directly on a ROKU, etc. so the other solutions would still apply. (does a ROKU obtain an IPv6? I know that an old TiVo HD does not)
For some reason, if the initial contact is not via IPv6, none of the subsequent will be via IPv6 either.
Quote from: hevanaa on October 02, 2016, 12:32:08 AM
I don't understand the reasoning for blocking, because Netflix clearly have some kind of geoip system in place. I have had the same content on IPV6 and IPV4.
Because it's not relevent. I could register a HE Tunnel via your local he.net ipv6 tunnel broker,. and yeah, netfix may now be able to geo-locate it, but it will now be located to your country.
In other words, if you wanted USA content, you'd be able to register with a USA endpoint, and voila!
Netfix is correct in basically considering ip6 tunnels a proxy. It may proxy ipv6 -> ipv4 instead of ipv4 -> to ipv4, but it'a still a proxy!
Incidentally, I'm not sticking up for the issue of geo-blocking -- I'm also not blaming netflix if the studios give them no choice, but hopefully when they have enough clout, they'll use it. Or maybe I'm wrong. Dunno. My point is, I'm not making any business/political/law comment in my post, purely technical.
Finally, unless you are having problems with routing, or you don;t run an ipv4 stack, why is this even an issue? I use ip6 to allow 'direct' access to my intternal hosts, and to show a unique address when connecting to my (and others) external servers. I also want to generally run ipv6 for programming, and learning reasons.
I don't use Netfilix, but Youtube is used quite a lot, as well as regular offsite backups, and I set them all to use IPv4 to not waste HEs bandwidth unnecessarily (I know I'm a tiny tiny tiny fish in the pond, but I try to be a good neighbour, and every bit can help) [ as a bonus, I'm now only 3 hops away from youtube via ip4 due to my ISP now hosting google servers in-house. - An event I may not have noticed otherwise)
I'm not having a go, I'm honestly curious to why you want ipv6 to netflix if you aren't using it to get around geo-restrictions?
I can see no reason to prefer tunneled IPv6 over IPv4 in these scenarios
Quote from: customcomputerca on December 10, 2016, 08:47:35 PM
Using pfSense I was able to get Netflix to work by blocking 2620:108:700f::/48 on the LAN interface, TCP port 443 only. If another range of addresses comes up I'll update this post.
So I just setup my tunnel again (last time was the summer) and it looks like things are still blocked. I tried the above prefix and while it appears to work for my desktop, I found that on my Android app, Netflix would be extremely slow to load up anything. Typically this behaviour is due to it having an IPv6 address and still thinking that it has IPv6 connectivity. The Netflix app will try and try and try to get the content via that method and eventually times out and goes over IPv4. However, every time you load a video, the same process repeats itself and can take up to a full minute or more for a video to start playing.
Has there been any other news about how we can resolve this?
LoboTiger
The posted bind/dns proxy solutions are working best I guess. Quick an dirty you could simply add the A records only to /etc/hosts
dig www.netflix.com A +short | sed -n 's/\([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\)/\1 www.netflix.com/p' >> /etc/hosts
For me it works also quick and dirty just to block the outgoing ipv6 traffic to netflix
$ ip6tables -A OUTPUT -j REJECT -d www.netflix.com
This results in some auto-resolved rules, looks like this on my site
$ ip6tables -L OUTPUT
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
REJECT all anywhere 2a01:578:3::3412:fe98 reject-with icmp6-port-unreachable
REJECT all anywhere 2a01:578:3::3411:c7fc reject-with icmp6-port-unreachable
REJECT all anywhere 2a01:578:3::3412:e37c reject-with icmp6-port-unreachable
REJECT all anywhere 2a01:578:3::3411:d9a8 reject-with icmp6-port-unreachable
REJECT all anywhere 2a01:578:3::3411:ddb0 reject-with icmp6-port-unreachable
REJECT all anywhere 2a01:578:3::3411:d15b reject-with icmp6-port-unreachable
REJECT all anywhere 2a01:578:3::3411:dea9 reject-with icmp6-port-unreachable
REJECT all anywhere 2a01:578:3::3412:297f reject-with icmp6-port-unreachable
Don't know if they change their IPs very often, probably you should write a small shell script to re-new the rules from time to time automatically.
Re - "auto-resolved rules." You should look into the ipset extensions to iptables. With ipset, you can have a single iptables rule that covers all the IPs. One can also add or subtract from the set (using ipset commands) and iptables will automatically adjust to the changes.
See http://ipset.netfilter.org/ for details.
If you're targeting a single organization, you should use their CIDR bitmask (/32 to /64).
If you use DNSMASQ as local resolver, add this to dnsmasq.conf:
server=/netflix.com/#
address=/netflix.com/::
server=/netflix.net/#
address=/netflix.net/::
server=/nflxext.com/#
address=/nflxext.com/::
server=/nflximg.net/#
address=/nflximg.net/::
server=/nflxvideo.net/#
address=/nflxvideo.net/::
This will result in only A-Records being resolved and the IPv6 tunnel not be used.
For those using Unbound DNS you can use this:
local-zone: "netflix.com" typetransparent
local-data: "netflix.com IN AAAA ::"
local-zone: "netflix.net" typetransparent
local-data: "netflix.net IN AAAA ::"
local-zone: "nflxext.com" typetransparent
local-data: "nflxext.com IN AAAA ::"
local-zone: "nflximg.net" typetransparent
local-data: "nflximg.net IN AAAA ::"
local-zone: "nflxvideo.net" typetransparent
local-data: "nflxvideo.net IN AAAA ::"
local-zone: "www.netflix.com" typetransparent
local-data: "www.netflix.com IN AAAA ::"
local-zone: "customerevents.netflix.com" typetransparent
local-data: "customerevents.netflix.com IN AAAA ::"
local-zone: "secure.netflix.com" typetransparent
local-data: "secure.netflix.com IN AAAA ::"
local-zone: "adtech.nflximg.net" typetransparent
local-data: "adtech.nflximg.net IN AAAA ::"
local-zone: "assets.nflxext.com" typetransparent
local-data: "assets.nflxext.com IN AAAA ::"
local-zone: "codex.nflxext.com" typetransparent
local-data: "codex.nflxext.com IN AAAA ::"
local-zone: "dockhand.netflix.com" typetransparent
local-data: "dockhand.netflix.com IN AAAA ::"
local-zone: "ichnaea.netflix.com" typetransparent
local-data: "ichnaea.netflix.com IN AAAA ::"
local-zone: "art-s.nflximg.net" typetransparent
local-data: "art-s.nflximg.net IN AAAA ::"
local-zone: "tp-s.nflximg.net" typetransparent
local-data: "tp-s.nflximg.net IN AAAA ::"
Quote from: bjo on October 27, 2016, 01:22:48 PM
Yay, the Fritzbox 7390 beta firmware supports IPv6 routes now, so I could nullroute the netflix prefixes.
How does it look like in the configuration of the Fritzbox?
any help here?
I'm using the unbound-solution now, so no need for nullrouting prefixes in the Fritzbox, so I can not provide any screenshots.
Quote from: zanechua on May 09, 2017, 02:27:24 PM
For those using Unbound DNS you can use this:
local-zone: "netflix.com" typetransparent
local-data: "netflix.com IN AAAA ::"
local-zone: "netflix.net" typetransparent
local-data: "netflix.net IN AAAA ::"
local-zone: "nflxext.com" typetransparent
local-data: "nflxext.com IN AAAA ::"
local-zone: "nflximg.net" typetransparent
local-data: "nflximg.net IN AAAA ::"
local-zone: "nflxvideo.net" typetransparent
local-data: "nflxvideo.net IN AAAA ::"
local-zone: "www.netflix.com" typetransparent
local-data: "www.netflix.com IN AAAA ::"
local-zone: "customerevents.netflix.com" typetransparent
local-data: "customerevents.netflix.com IN AAAA ::"
local-zone: "secure.netflix.com" typetransparent
local-data: "secure.netflix.com IN AAAA ::"
local-zone: "adtech.nflximg.net" typetransparent
local-data: "adtech.nflximg.net IN AAAA ::"
local-zone: "assets.nflxext.com" typetransparent
local-data: "assets.nflxext.com IN AAAA ::"
local-zone: "codex.nflxext.com" typetransparent
local-data: "codex.nflxext.com IN AAAA ::"
local-zone: "dockhand.netflix.com" typetransparent
local-data: "dockhand.netflix.com IN AAAA ::"
local-zone: "ichnaea.netflix.com" typetransparent
local-data: "ichnaea.netflix.com IN AAAA ::"
local-zone: "art-s.nflximg.net" typetransparent
local-data: "art-s.nflximg.net IN AAAA ::"
local-zone: "tp-s.nflximg.net" typetransparent
local-data: "tp-s.nflximg.net IN AAAA ::"
I tried this in my OPNsense configuration and it didn't work, Netflix still gave me a proxy detected error. I'm not sure if it has to do with me using Stubby as my stub resolver with this configuration:
forward-zone:
name: "." # Allow all DNS queries
forward-addr: 127.0.0.1@8053