[Pdns-users] Can I filter AAAA DNS requests for Netflix?

bert hubert bert.hubert at powerdns.com
Mon Oct 7 06:47:11 UTC 2019


Hello everyone,

I used to use this script:

--[[ 
        Sometimes, domains break when IPv6 is used. A common example is
        Netflix via an IPv6 tunnel, which Netflix interprets as a proxying 
        attempt.
        
        This function strips IPv6 from one or more subdomains. It can be called
        with a single domain, like "netflix.com", or with a domain set, which
        is more efficient and scales very well.
        
        This file is meant for including, so you can call it from your preresolve.
        Alternatively, uncomment the activation code below and you can load it
        directly into your resolver with 'lua-dns-script=strip-ipv6-from-domains.lua'.
]]--

function preventIPv6ForDomains(dq, domain)
        local ds=newDS()
        if(type(domain) == "string") then
                ds:add{domain}
        else
                ds=domain
        end
        if(dq.qtype ~= pdns.AAAA) then return false end
        if(ds:check(dq.qname)) then
                dq.rcode = 0
                return true
        end
        return false
end

-- To activate, uncomment the block below:

netflix=newDS()
netflix:add{"netflix.com"}

function preresolve(dq)
        return preventIPv6ForDomains(dq, "netflix.com")
end

Perhaps useful.

	Bert


On Mon, Oct 07, 2019 at 02:23:07AM -0400, Aleksandr Rogozin via Pdns-users wrote:
> Hi Nick,
> 
> Since your request was to filter based on specific domains for qtype AAAA
> with custom response, I suggest looking into Response Policy Zone (RPZ) or
> LUA script.
> 
> Best Regards,
> Aleksandr
> 
> On Sat, Oct 5, 2019 at 23:10 Nicholas Williams <
> nicholas at nicholaswilliams.net> wrote:
> 
> > I’ve got a conundrum that has kind of come to a head for me. It may be
> > 2019, but Comcast is still too incompetent to provide me with
> > properly-working IPv6, so I’ve resorted to using a Hurricane Electric
> > tunnel for IPv6 access. However, Netflix blocks all Hurricane Electric and
> > similar tunnels under the assumption that you’re trying to scam their
> > location identification and access content that you don’t have geographic
> > access to and, worse, the Netflix apps prefer IPv6 over IPv4 when it’s
> > available, so Hurricane Electric users are kinda screwed.
> >
> > In the past, I’ve dealt with this by adding a black hole route for
> > Netflix’s IPv6 prefix. However, I’m now having to block THREE /48 prefixes
> > in order to keep Netflix working, and from what I can tell that means I’m
> > now blocking most of AWS’s enter CDN, so I’m losing out on IPv6 on a bunch
> > of sites.
> >
> > This solution is really like using a sledgehammer to install a picture
> > frame hanger (and having to replace the picture frame hanger every few
> > months). A better solution is to prevent Netflix from doing AAAA lookups
> > (or somehow filter them and respond with only A results). I’m already using
> > PowerDNS Recursor for my DNS. Is there a way I can configure PowerDNS
> > Recursor so that certain domains (like Netflix) respond with only A results
> > and never return AAAA results, so that I can remove my blackhole routes?
> >
> > Thanks,
> >
> > Nick
> >
> > _______________________________________________
> > Pdns-users mailing list
> > Pdns-users at mailman.powerdns.com
> > https://mailman.powerdns.com/mailman/listinfo/pdns-users
> >

> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users



More information about the Pdns-users mailing list