OpenWrt Forum Archive

Topic: [SOLVED] Netflix Open Connect with Google DNS

The content of this topic has been archived on 21 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
twotwo
15 Nov 2015, 04:48

Hi,

I cannot access Netflix after changing my DNS from my ISP's (Telus) DNS to Google public DNS. I changed dns because I want to use dnssec and my ISP's DNS won't work with DNSSEC.

According to Netflix FAQ:

If you've modified your device for custom connection settings, we recommend using your Internet service provider's default settings. If you are connecting with a Virtual Private Network, disable it and connect directly with your home Internet. If you have changed your device to a custom DNS setting, try resetting your device to acquire DNS automatically. If you are unsure how to complete any of these steps, reach out to the manufacturer of the device for more assistance.

Telus is part of Netflix Open Connect where they have netflix caching servers on ISPs network infrastructure.

Telus has other dns server and out of the list two dns servers offer dnssec:

209.202.110.120
209.202.110.121

dig @209.202.110.120 +dnssec debian.org

; <<>> DiG 9.10.3 <<>> @209.202.110.120 +dnssec debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53602
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 6, ADDITIONAL: 11

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;debian.org.            IN    A

;; ANSWER SECTION:
debian.org.        300    IN    A    200.17.202.197
debian.org.        300    IN    A    150.203.164.38
debian.org.        300    IN    A    128.31.0.62
debian.org.        300    IN    A    140.211.15.34
debian.org.        300    IN    A    5.153.231.4
debian.org.        300    IN    A    130.89.148.14
debian.org.        300    IN    RRSIG    A 8 2 300 20151222060107 20151112050107 36840 debian.org. m8nWgsDuIpL6NsUuykMb7T5nhby6bGt2OmgMDKckZQ6qOhPAV2cckctI B0iiBvoUUaolX3W6W+XtpwueUWygZvopjZnVO94+u5PoQD5tUV0Hl168 2MnIfbekadQLju2025cqVp/I1hZkdg/7Ii4XJlgL+1+XeESU6QJyhRM6 rUKB5xSDFGBH3aqfr57G0Kl3yTr9xnIYhcf0Pb0qIdqEJ5NZsG6Gslts d8M2MHWp1jE9eBkxeYP3+D5uHowU3eV7

;; AUTHORITY SECTION:
debian.org.        2962    IN    NS    sec1.rcode0.net.
debian.org.        2962    IN    NS    debian1.dnsnode.net.
debian.org.        2962    IN    NS    dns1.easydns.com.
debian.org.        2962    IN    NS    sec2.rcode0.net.
debian.org.        2962    IN    NS    dns4.easydns.info.
debian.org.        28584    IN    RRSIG    NS 8 2 28800 20151212140543 20151102140515 36840 debian.org. Yg1Qh8Q7gNtMCXPczVXlrBsHCUmxap+4C3Q/XPP8ddpHp879b2N342gZ 4R6cygK92npZvzIlUzDUxCNwL056FcXkz+oRge8iHxIwADgqH0jcH+Q+ iriBZcgQoD1fbX5k+IV7t2949kQW25agG1EVuMUcNN7U5/AZAeeKtCs1 S6bnSwnyrbtO8rzLhgE8LtZSBbfkHVjBLjTzyRHE/D1n8zzLs3Ny5YoM u6SdmuWNjG3F4R2lsKkXSlXr4FgSaZLa

;; ADDITIONAL SECTION:
dns1.easydns.com.    170952    IN    A    64.68.192.210
dns1.easydns.com.    104483    IN    AAAA    2001:1838:f001::10
sec2.rcode0.net.    177445    IN    A    176.97.158.100
sec2.rcode0.net.    177445    IN    AAAA    2001:67c:10b8::100
sec1.rcode0.net.    4454    IN    A    192.174.68.100
sec1.rcode0.net.    4454    IN    AAAA    2001:67c:1bc::100
debian1.dnsnode.net.    6906    IN    A    194.146.106.126
debian1.dnsnode.net.    6906    IN    AAAA    2001:67c:1010:32::53
dns4.easydns.info.    26969    IN    A    194.0.2.19
dns4.easydns.info.    26969    IN    AAAA    2001:678:5::13

;; Query time: 78 msec
;; SERVER: 209.202.110.120#53(209.202.110.120)
;; WHEN: Sat Nov 14 19:39:26 PST 2015
;; MSG SIZE  rcvd: 962

But anything other than ISP provided DNS addresses didn't work

75.153.176.9
75.153.176.1

I got list of domains netflix uses:
https://i.imgur.com/y8zpXxe.png

I have added all the domains listed to /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        #option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'
        option dnssec '1'
        option strictorder '1'
        option noresolv  '1'
        list server '/netflix.com/75.153.176.9'
        list server '/nflximg.com/75.153.176.9'
        etc
        ...
        ...
        ...
        list server '8.8.8.8'
        list server '8.8.4.4'
        option dnsseccheckunsigned '1'

Oddly enough, no matter what the dns record says, Netflix Apps work just fine on Android and IOS. On cyanogenmod I can see it requesting access to location information when on Google DNS but not requesting location access when on default dns.

On desktop/chrome it just exits with error.

(Last edited by twotwo on 11 Dec 2015, 20:44)

Post #2
risk
15 Nov 2015, 10:51

sounds like their list is incomplete, try using wireshark to see what dns requests leave your computer when accessing netflix.

Post #3
stangri
15 Nov 2015, 12:07

And please post the complete list (or even as is) as in the dhcp config -- would surely save time and effort to anyone who'd want to retrace your steps.

(Last edited by stangri on 15 Nov 2015, 12:07)

Post #4
twotwo
16 Nov 2015, 03:48

Sorry for late reply.
I got little busy for last couple days.
I will do the wireshark and full dhcp config in a few days.
I revered the dhcp config so I will have edit it back to the way it was.

I think this may not work because the dnssec option is a global config for all dns and telus dns won't work.
But I tried changing the dhcp config without dnssec and with all netflix domains pointing to telus and it still didn't work.

(Last edited by twotwo on 16 Nov 2015, 03:49)

Post #5
stangri
16 Nov 2015, 11:43

On a side note, I'm surprised that the Netflix wouldn't work with Google's DNS, because afaik the Google DNS was hardcoded in the Lollipop for Nexus devices and I don't remember hearing about Netflix access problems for them.

Post #6
twotwo
11 Dec 2015, 19:02

Hey everyone,
Just a little update
I have done some further work and my isp has made some recent changes that might make this easier. (they have ipv6 enabled now)

So netflix with Google DNS works perfectly now.

The main problem remains, that is dnssec not working with netflix.

I did a trace on wireshark and found it interesting that domains similar to:

ipv6_1-lagg0-c004.1.yvr004.telus.isp.nflxvideo.net points to => ipv6_1-lagg0-c004.1.yvr004.telus.isp.nflxvideo.net.lan

Wireshark shows a "Server failure" message in the packet.

so the .lan is actually same in /etc/config/dhcp:

local=/lan/
domain=lan

So I turned off dnssec and clicked on as many netflix videos as I can and got list of domains to ip address list.

So ipv6_1-lagg0-c004.1.yvr004.telus.isp.nflxvideo.net actually points to:
2001:569:2:f31::2 and 205.250.87.233

Now is there is anyway to set domain to ip manually? I am thinking similar to a hosts file.

I also noticed that the domain names have similar pattern with c004 and yvr004 last number ranging from 1 to 5.

I found it interesting that with dnssec enabled that a domain would just point to a local address.

edit:
for those who want the list of addresses, it is easy to get from dig command. (for ipv6 you need to add -t AAAA)

SOLVED
1. I added expand-hosts directive to /etc/dnsmasq.conf
2. I added all the telus/netflix domains and IP addresses to /etc/hosts file

(Last edited by twotwo on 11 Dec 2015, 20:43)

The discussion might have continued from here.