[Pdns-users] Can I filter AAAA DNS requests for Netflix?

Nicholas Williams nicholas at nicholaswilliams.net
Tue Oct 8 01:30:07 UTC 2019 

Thanks, Bert, et. al.! Based on this feedback and https://github.com/fumiyas/pdns-scripts/blob/master/recursor/filter-aaaa.lua <https://github.com/fumiyas/pdns-scripts/blob/master/recursor/filter-aaaa.lua>, I tried this, and it seems to be working:

blacklisted = newDS()
blacklisted:add{"netflix.com"}
blacklisted:add{"netflix.net"}

function postresolve(dq)
  if blacklisted:check(dq.qname) then
    local records = dq:getRecords()
    local records_new = {}

    for i, record in ipairs(records) do
      if record.type ~= pdns.AAAA then
        records_new[#records_new + 1] = record
      end
    end

     dq:setRecords(records_new)
  end

  return true
end

Now to see if the Netflix apps start behaving any better…

Thanks!

Nick

> On Oct 7, 2019, at 1:47 AM, bert hubert <bert.hubert at powerdns.com> wrote:
> 
> Hello everyone,
> 
> I used to use this script:
> 
> --[[ 
>        Sometimes, domains break when IPv6 is used. A common example is
>        Netflix via an IPv6 tunnel, which Netflix interprets as a proxying 
>        attempt.
> 
>        This function strips IPv6 from one or more subdomains. It can be called
>        with a single domain, like "netflix.com", or with a domain set, which
>        is more efficient and scales very well.
> 
>        This file is meant for including, so you can call it from your preresolve.
>        Alternatively, uncomment the activation code below and you can load it
>        directly into your resolver with 'lua-dns-script=strip-ipv6-from-domains.lua'.
> ]]--
> 
> function preventIPv6ForDomains(dq, domain)
>        local ds=newDS()
>        if(type(domain) == "string") then
>                ds:add{domain}
>        else
>                ds=domain
>        end
>        if(dq.qtype ~= pdns.AAAA) then return false end
>        if(ds:check(dq.qname)) then
>                dq.rcode = 0
>                return true
>        end
>        return false
> end
> 
> -- To activate, uncomment the block below:
> 
> netflix=newDS()
> netflix:add{"netflix.com"}
> 
> function preresolve(dq)
>        return preventIPv6ForDomains(dq, "netflix.com")
> end
> 
> Perhaps useful.
> 
> 	Bert
> 
> 
> On Mon, Oct 07, 2019 at 02:23:07AM -0400, Aleksandr Rogozin via Pdns-users wrote:
>> Hi Nick,
>> 
>> Since your request was to filter based on specific domains for qtype AAAA
>> with custom response, I suggest looking into Response Policy Zone (RPZ) or
>> LUA script.
>> 
>> Best Regards,
>> Aleksandr
>> 
>> On Sat, Oct 5, 2019 at 23:10 Nicholas Williams <
>> nicholas at nicholaswilliams.net> wrote:
>> 
>>> I’ve got a conundrum that has kind of come to a head for me. It may be
>>> 2019, but Comcast is still too incompetent to provide me with
>>> properly-working IPv6, so I’ve resorted to using a Hurricane Electric
>>> tunnel for IPv6 access. However, Netflix blocks all Hurricane Electric and
>>> similar tunnels under the assumption that you’re trying to scam their
>>> location identification and access content that you don’t have geographic
>>> access to and, worse, the Netflix apps prefer IPv6 over IPv4 when it’s
>>> available, so Hurricane Electric users are kinda screwed.
>>> 
>>> In the past, I’ve dealt with this by adding a black hole route for
>>> Netflix’s IPv6 prefix. However, I’m now having to block THREE /48 prefixes
>>> in order to keep Netflix working, and from what I can tell that means I’m
>>> now blocking most of AWS’s enter CDN, so I’m losing out on IPv6 on a bunch
>>> of sites.
>>> 
>>> This solution is really like using a sledgehammer to install a picture
>>> frame hanger (and having to replace the picture frame hanger every few
>>> months). A better solution is to prevent Netflix from doing AAAA lookups
>>> (or somehow filter them and respond with only A results). I’m already using
>>> PowerDNS Recursor for my DNS. Is there a way I can configure PowerDNS
>>> Recursor so that certain domains (like Netflix) respond with only A results
>>> and never return AAAA results, so that I can remove my blackhole routes?
>>> 
>>> Thanks,
>>> 
>>> Nick
>>> 
>>> _______________________________________________
>>> Pdns-users mailing list
>>> Pdns-users at mailman.powerdns.com
>>> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>>> 
> 
>> _______________________________________________
>> Pdns-users mailing list
>> Pdns-users at mailman.powerdns.com
>> https://mailman.powerdns.com/mailman/listinfo/pdns-users
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20191007/7642cb8e/attachment.htm>

More information about the Pdns-users mailing list