[Pdns-users] Can I filter AAAA DNS requests for Netflix?

Nicholas Williams nicholas at nicholaswilliams.net
Sun Oct 6 03:10:38 UTC 2019

I’ve got a conundrum that has kind of come to a head for me. It may be 2019, but Comcast is still too incompetent to provide me with properly-working IPv6, so I’ve resorted to using a Hurricane Electric tunnel for IPv6 access. However, Netflix blocks all Hurricane Electric and similar tunnels under the assumption that you’re trying to scam their location identification and access content that you don’t have geographic access to and, worse, the Netflix apps prefer IPv6 over IPv4 when it’s available, so Hurricane Electric users are kinda screwed.

In the past, I’ve dealt with this by adding a black hole route for Netflix’s IPv6 prefix. However, I’m now having to block THREE /48 prefixes in order to keep Netflix working, and from what I can tell that means I’m now blocking most of AWS’s enter CDN, so I’m losing out on IPv6 on a bunch of sites.

This solution is really like using a sledgehammer to install a picture frame hanger (and having to replace the picture frame hanger every few months). A better solution is to prevent Netflix from doing AAAA lookups (or somehow filter them and respond with only A results). I’m already using PowerDNS Recursor for my DNS. Is there a way I can configure PowerDNS Recursor so that certain domains (like Netflix) respond with only A results and never return AAAA results, so that I can remove my blackhole routes?



More information about the Pdns-users mailing list