Florent Daignière's blog

Posted 05 Jan, 2015

Netflix ultimate geolocation bypass with an edgerouter

It looks like Netflix has updated their geolocation code... attempting to prevent their users from watching content intended for other regions. This post explores a few technical avenues one might consider to bypass it.

Googling around, it becomes increasingly clear that many people are making a living out of selling bypasses both in the form of technical solutions and support. The signal over noise ratio is very low and after 15mins it has become increasingly clear that tcpdumping the traffic is the way to find out "what they've changed".

Up until this month, users tend to use two different techniques to get around the restrictions. They either subscribe to a VPN service (in addition to their netflix subscription!) or what providers calls a "smart DNS". Both solutions are unacceptable to me as they are both completely inadequate security wise. Why should I trust a random system on the internet with my internet traffic when I don't have to?

To give you an illustrated example of why it's a bad idea, let's talk about what seems to be the most popular solution: Hola; it's free as in free-beer. Turns out that these guys are operating a peer to peer network of proxies, reselling your bandwidth through their Luminati service. One should keep in mind that, on the internet, if you're not paying, odds are you're the product!

TCPDumping the traffic in and out, it became apparent that the geolocation is happening at the DNS level. Luckily for us, there are plenty of open DNS resolvers on the internet. While I won't write down the one I use for obvious reasons, I'll share a list of ideas where you can find one (for free!):

Of course, I wouldn't trust any of them with my DNS traffic (unlike most of the tutorials I've found on the internet)... So instead of changing the system's resolver to one of them, here is the edgerouter command I've used:

set service dns forwarding options server=/netflix.com/$ip

This ensures that only the traffic going to *.netflix.com will be queried through that DNS resolver.

This has been working for years, up until this month where the application has been updated. Ever since, the geolocation finds out which zone I'm entitled to. TCPDumping the traffic has once again proved useful and told me that now Netflix is doing two different DNS queries using both the system's configured resolver and a hardcoded one (Google's). It then decides which zone you're in, based on the result of both, trusting Google's over your local DNS. So yes; if you used to bypass their zone restriction using DNS, they know it ;)

My initial (naive) attempt was to try out what happens when Google can't be reached. The following command does just that:

set protocols static route blackhole

This works for some definition of "work". The stream will eventually start but you will have to wait for timeouts while navigating and picking your movie; making the whole trick sub-optimal. A better solution is to do destination NAT and pretend that our local resolver is Google's. it can be achieved using the following config:

edit service nat rule 4999
 description netflix
 destination {
     port 53
 inbound-interface $LAN_IF
 inside-address {
     address $LAN_IP
 protocol tcp_udp
 type destination

Using iptables, it would look like that:

iptables -t nat -A PREROUTING -d -i $LAN_IF -p udp -m udp --dport 53 -j DNAT --to-destination $LAN_IP
iptables -t nat -A PREROUTING -d -i $LAN_IF -p tcp -m tcp --dport 53 -j DNAT --to-destination $LAN_IP

That works wonders and is the ultimate solution to me. It's not wasting bandwidth encapsulating traffic through a tunnel nor trusting random unknowns on the internet to route it for me... and it's free!

Category: Blog
Tags: edgerouter sysadmin blog