• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

Netflix IPv6 DNS Domains

Started by DJX, October 03, 2022, 04:26:30 PM

Previous topic - Next topic

DJX

Since Netflix blocks HE IPv6 addresses, I have been filtering AAAA queries on my DNS servers to force clients to connect over IPv4. Only problem is, I haven't found all the DNS domains I need to filter. This is my current list but I'm still missing some as some content is still getting blocked (or silently filtered out as not available)

Quote*.netflix.com
*.netflix.net
*.nflxvideo.net
*.nflxso.net

Anyone have more Netflix domains I can filter AAAA queries on?
Thanks!

tjeske

Have you tried running Wireshark to look for all relevant DNS requests?

DJ1975

I attempted the same thing but decided to stop. Under my circumstances, it looked like the netflix player required access to the domains you mentioned as well as *.amazonaws.com.

Restricting that domain to v4 only caused some issues with logins on various sites (for me. No idea how appliable that is for someone else).

I ended up creating a VLAN with no v6 address applied on the "LAN" side. Using a player, chromecast, or PC from that VLAN enforces v4-only for all traffic.

YMMV

DJX

Quote from: tjeske on October 12, 2022, 07:30:43 AM
Have you tried running Wireshark to look for all relevant DNS requests?
I would but the problem only exists on embedded devices like TVs and streaming media players.
So I can't run wireshark against them.

With my current DNS filters:
Quote*.netflix.com,*.nflxext.com,*.netflix.net,*.nflximg.net,*.nflxvideo.net,*.nflxso.net
Works fine in Firefox or Chrome.

I'll play with possibly adding AmazonAWS.

DJX

#4
Well, I've added AmazonAWS and still not working on the embedded devices.
First boot-up is fine but subsequent accesses everything is locked out with a proxy message or silently hidden.
Fine on PC but I have no idea what these embedded devices are doing.

Current DNS filter: EQ,*.amazonaws.com.,*.netflix.com.,*.nflxext.com.,*.netflix.net.,*.nflximg.net.,*.nflxvideo.net.,*.nflxso.net.

tjeske

Unfortunately, many embedded devices have hardcoded DNS servers. Mainly thought as fallback. Iirc correctly every Android device has 8.8.8.8 hardcoded as well. Could be that Google's DNS sometimes just wins the race over your local DNS. Worst would be if it's using DoH.

Again, you should sniff on the actual traffic, not just your DNS. That's possible without running Wireshark on the device itself. "Easiest" solution is probably to use your PC as router. Or block all traffic to internet on UDP:53 and see if that fixes your issues.

snarked

How about filtering by ASN?  I see that they're using Amazon Web Services, so the ASN is 16509.  I would further limit filtering to just DNS queries and/or responses.