• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Netflix IPv6 DNS Domains

Started by DJX, October 03, 2022, 04:26:30 PM

Previous topic - Next topic


Since Netflix blocks HE IPv6 addresses, I have been filtering AAAA queries on my DNS servers to force clients to connect over IPv4. Only problem is, I haven't found all the DNS domains I need to filter. This is my current list but I'm still missing some as some content is still getting blocked (or silently filtered out as not available)


Anyone have more Netflix domains I can filter AAAA queries on?


Have you tried running Wireshark to look for all relevant DNS requests?


I attempted the same thing but decided to stop. Under my circumstances, it looked like the netflix player required access to the domains you mentioned as well as *.amazonaws.com.

Restricting that domain to v4 only caused some issues with logins on various sites (for me. No idea how appliable that is for someone else).

I ended up creating a VLAN with no v6 address applied on the "LAN" side. Using a player, chromecast, or PC from that VLAN enforces v4-only for all traffic.



Quote from: tjeske on October 12, 2022, 07:30:43 AM
Have you tried running Wireshark to look for all relevant DNS requests?
I would but the problem only exists on embedded devices like TVs and streaming media players.
So I can't run wireshark against them.

With my current DNS filters:
Works fine in Firefox or Chrome.

I'll play with possibly adding AmazonAWS.


Well, I've added AmazonAWS and still not working on the embedded devices.
First boot-up is fine but subsequent accesses everything is locked out with a proxy message or silently hidden.
Fine on PC but I have no idea what these embedded devices are doing.

Current DNS filter: EQ,*.amazonaws.com.,*.netflix.com.,*.nflxext.com.,*.netflix.net.,*.nflximg.net.,*.nflxvideo.net.,*.nflxso.net.


Unfortunately, many embedded devices have hardcoded DNS servers. Mainly thought as fallback. Iirc correctly every Android device has hardcoded as well. Could be that Google's DNS sometimes just wins the race over your local DNS. Worst would be if it's using DoH.

Again, you should sniff on the actual traffic, not just your DNS. That's possible without running Wireshark on the device itself. "Easiest" solution is probably to use your PC as router. Or block all traffic to internet on UDP:53 and see if that fixes your issues.


How about filtering by ASN?  I see that they're using Amazon Web Services, so the ASN is 16509.  I would further limit filtering to just DNS queries and/or responses.