Sachin Garg
2016-06-16 20:07:48 UTC
Hi all,
I have a possibly not-so unique use case to send an NXDOMAIN answer to
clients that query for an AAAA record for a specific domain. I am
running dnsmasq on an OpenWRT router.
Elaborating on the problem:
1. I have IPv6 connectivity through an HE.net (Hurrricane Electric) tunnel
2. Netflix has blocked access to their content via IPv6 emanating from
HE.net
3. The result: I am unable to access NetFlix on my iDevices. However, my
old Roku (that possibly does not support IPv6) works fine. This is why I
know that the problem is IPv6 related.
Proposed solutions:
1. On scouring the net, I found one of the solutions being to null-route
the Netflix IPv6 blocks, forcing my devices to try and connect via IPv4.
However, the Netflix IPv6 block actually is part of a larger AWS block,
so that means going without IPv6 for also many other AWS services.
(Aside: wondering why a large company like Netflix cannot get its own
IPv6 prefix?)
So, the alternative I am thinking of is to let my router's DNS server
(dnsmasq) lie about the non-existence of AAAA records for *.netflix.com.
Is there a way to make that happen? I have been able to block netflix by
using:
address=/netflix.com/127.0.0.1
address=/netflix.com/::1
However, just using:
address=/netflix.com/::1
Breaks it for IPv4 also.
So, any ideas as to how to do finer grained DNS filtering?
Thanks,
Sachin
I have a possibly not-so unique use case to send an NXDOMAIN answer to
clients that query for an AAAA record for a specific domain. I am
running dnsmasq on an OpenWRT router.
Elaborating on the problem:
1. I have IPv6 connectivity through an HE.net (Hurrricane Electric) tunnel
2. Netflix has blocked access to their content via IPv6 emanating from
HE.net
3. The result: I am unable to access NetFlix on my iDevices. However, my
old Roku (that possibly does not support IPv6) works fine. This is why I
know that the problem is IPv6 related.
Proposed solutions:
1. On scouring the net, I found one of the solutions being to null-route
the Netflix IPv6 blocks, forcing my devices to try and connect via IPv4.
However, the Netflix IPv6 block actually is part of a larger AWS block,
so that means going without IPv6 for also many other AWS services.
(Aside: wondering why a large company like Netflix cannot get its own
IPv6 prefix?)
So, the alternative I am thinking of is to let my router's DNS server
(dnsmasq) lie about the non-existence of AAAA records for *.netflix.com.
Is there a way to make that happen? I have been able to block netflix by
using:
address=/netflix.com/127.0.0.1
address=/netflix.com/::1
However, just using:
address=/netflix.com/::1
Breaks it for IPv4 also.
So, any ideas as to how to do finer grained DNS filtering?
Thanks,
Sachin