I had been happily using HE’s tunnel broker to gain access to the IPv6 internet for some time. A side effect of this was that I would quite often get the US version of the Netflix catalogue. Back in June of 2016, Netflix started actively blocking HE’s subnets because of people using them explicitly to avoid their geo blocking. Consequently, I would get an error when trying to watch Netflix. The solution I had been using was to reject all IPv6 traffic at the firewall for any device that I used to access Netflix. It bothered me to essentially turn off IPv6 for those devices, and I recently found a better solution. I use unbound as my recursive dns resolver, and I found by adding the following code to its configuration file, Netflix has been working without rejecting the IPv6 traffic.
local-zone: “netflix.com” typetransparent
local-data: “netflix.com AAAA ::1”
local-data: “android-appboot.netflix.com AAAA ::1”
local-data: “android.nccp.netflix.com AAAA ::1”
local-data: “android.prod.cloud.netflix.com AAAA ::1”
local-data: “api-global.latency.prodaa.netflix.com AAAA ::1”
local-data: “api-global.netflix.com AAAA ::1”
local-data: “api-global.us-east-1.prodaa.netflix.com AAAA ::1”
local-data: “api-global.us-west-2.prodaa.netflix.com AAAA ::1”
local-data: “api.netflix.com AAAA ::1”
local-data: “appboot.netflix.com AAAA ::1”
local-data: “appboot.us-east-1.prodaa.netflix.com AAAA ::1”
local-data: “appboot.us-west-2.prodaa.netflix.com AAAA ::1”
local-data: “cast-uiboot.prod.http1.netflix.com AAAA ::1”
local-data: “cast.netflix.com AAAA ::1”
local-data: “cast.prod.http1.netflix.com AAAA ::1”
local-data: “customerevents.netflix.com AAAA ::1”
local-data: “dockhand.netflix.com AAAA ::1”
local-data: “ichnaea.geo.netflix.com AAAA ::1”
local-data: “ichnaea.latency.prodaa.netflix.com AAAA ::1”
local-data: “ichnaea.netflix.com AAAA ::1”
local-data: “ichnaea.us-east-1.prodaa.netflix.com AAAA ::1”
local-data: “ichnaea.us-west-2.prodaa.netflix.com AAAA ::1”
local-data: “ios.nccp.netflix.com AAAA ::1”
local-data: “ios.prod.http1.netflix.com AAAA ::1”
local-data: “nintendo.nccp.netflix.com AAAA ::1”
local-data: “nrdp.nccp.netflix.com AAAA ::1”
local-data: “presentationtracking.netflix.com AAAA ::1”
local-data: “prod.http1.us-west-2.prodaa.netflix.com AAAA ::1”
local-data: “secure.netflix.com AAAA ::1”
local-data: “uiboot.netflix.com AAAA ::1”
local-data: “www.geo.netflix.com AAAA ::1”
local-data: “www.latency.prodaa.netflix.com AAAA ::1”
local-data: “www.netflix.com AAAA ::1”
local-data: “www.us-east-1.prodaa.netflix.com AAAA ::1”
local-data: “www.us-west-2.prodaa.netflix.com AAAA ::1”
Essentially, any request for AAAA records returns localhost, but all other records are resolved normally. I created the list by checking the unbound log file while devices were trying to access Netflix. If I find any more hostnames to redirect, I will add them to the list.
Latest update July 6 2018
I am getting quite fed up with how technology is going these days. It really seems like if you actually know what you are doing with technology, you are the enemy.
I’ve been disabling v6 on my girlfriend’s windows desktop so it didn’t hinder her using netflix. That was all well and good, until my daughter received an android tablet, and the same thing happened. I am not killing my tunnel just for netflix, nor do I desire to root the tablet just to install a ‘disable ipv6’ app, since android is hell-bent on stopping you from doing what you want with the software (or the vendors, I don’t know/care anymore).
End rant. I am actually posting this to offer a big thanks, I run an OpenBSD router and use unbound/nsd for DNS (I do run DNS for my own domain, how retro!) After finding your convenient list of domains for netflix, now things are working without needing to kill v6 stacks selectively on machines or rooting android devices.
Cheers!
I tried pasting this in my OPNSense Unbound custom config under my “server:” and before “forward-zone:” section. After applying the changes, Unbound doesn’t start stating a syntax error. Am I putting it in the wrong spot?
It belongs in the ‘server’ section.