Bypassing a Tunnel-Broker IPv6 Address For Netflix

Surprisingly, it worked beautifully… that is, until I discovered an unintended side effect

My ISP is pretty terrible but living in the United States, as I do, effectively makes internet service a regional monopoly.  In my case, not only do I pay too much for service but certain websites (cough google.com cough) are incredibly slow for no reason other than my ISP is a dick and won’t peer with them properly.

This particular ISP, despite being very large, has so far refused to roll out IPv6.  This was annoying until I figured out that I could use this to my advantage.  If they won’t peer properly over IPv4, maybe I can go through a tunnel broker to get IPv6 and route around them.  Surprisingly, it worked beautifully.  GMail has never loaded so fast at home.

It was beautiful, that is, until I discovered an unintended side effect: Netflix stopped working.

netflix error: you seem to be using an unblocker or proxy
Despite my brokered tunnel terminating inside the United States, Netflix suspects me of coming from outside the United States.

A quick Google search confirmed my suspicion.  Netflix denies access to known proxies, VPNs, and, sadly, IPv6 tunnel brokers.  My brave new world was about to somewhat less entertaining if I couldn’t fix this.

Background

Normally a DNS lookup returns both A (IPv4) and AAAA (IPv6) records together:

$ nslookup google.com
Server:     192.168.1.2
Address:    192.168.1.2#53

Non-authoritative answer:
Name:   google.com
Address: 172.217.12.142
Name:   google.com
Address: 2607:f8b0:4006:819::200e

Some services will choose to provide multiple addresses for redundancy; if the first address doesn’t answer then your computer will automatically try the next in line.

Netflix in particular will return a large number of addresses:

$ nslookup netflix.com 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Name: netflix.com
Address: 54.152.239.3
Name: netflix.com
Address: 52.206.122.138
Name: netflix.com
Address: 35.168.183.177
Name: netflix.com
Address: 54.210.113.65
Name: netflix.com
Address: 52.54.154.226
Name: netflix.com
Address: 54.164.254.216
Name: netflix.com
Address: 54.165.157.123
Name: netflix.com
Address: 107.23.222.64
Name: netflix.com
Address: 2406:da00:ff00::3436:9ae2
Name: netflix.com
Address: 2406:da00:ff00::6b17:de40
Name: netflix.com
Address: 2406:da00:ff00::34ce:7a8a
Name: netflix.com
Address: 2406:da00:ff00::36a5:f668
Name: netflix.com
Address: 2406:da00:ff00::36a5:9d7b
Name: netflix.com
Address: 2406:da00:ff00::23a8:b7b1
Name: netflix.com
Address: 2406:da00:ff00::36d2:7141
Name: netflix.com
Address: 2406:da00:ff00::36a4:fed8

The Solution

The key is to have your local DNS resolver return A records, but not AAAA, if (and only if) it’s one of Netflix’s hostnames.

Before I document the solution, it helps to know my particular setup and assumptions:

  • IPv6 via a tunnel broker
  • BIND’s named v9.14.8

Earlier versions of BIND are configured somewhat differently: you may have different options, or (if it’s a really old build) you may need to run two separate named instances.  YMMV.

Step 0: Break Out Your Zone Info (optional but recommended)

If your zone info is part of named.conf you really should put it into it’s own file for easier maintenance and re-usability. The remaining instructions won’t work, without modification, if you don’t.

# /etc/bind/local.conf
zone "." in {
        type hint;
        file "/var/bind/named.cache";
};

zone "localhost" IN {
        type master;
        file "pri/localhost.zone";
        notify no;
};

# 127.0.0. zone.
zone "0.0.127.in-addr.arpa" {
        type master;
        file "pri/0.0.127.zone";
};

Step 1: Add a New IP Address

You can run a single instance of named but you’ll need at least two IP addresses to handle responses.

In this example the DNS server’s “main” IP address is 192.168.1.2 and the new IP address will be 192.168.1.3.

How you do this depends on your distribution. If you’re using openrc and netifrc then you only need to modify /etc/conf.d/net:

# Gentoo and other netifrc-using distributions
config_eth0="192.168.1.2/24 192.168.1.3/24"

Step 2: Listen To Your New Address

Add your new IP address to your listen-on directive, which is probably in /etc/bind/named.conf:

listen-on port 53 { 127.0.0.1; 192.168.1.2; 192.168.1.3; };

It’s possible that your directive doesn’t specify the IP address(es) and/or you don’t even have a listen-on directive – and that’s ok. From the manual:

The server will listen on all interfaces allowed by the address match list. If a port is not specified, port 53 will be used… If no listen-on is specified, the server will listen on port 53 on all IPv4 interfaces.

https://downloads.isc.org/isc/bind9/9.14.8/doc/arm/Bv9ARM.ch05.html

Everything I just said also applies to listen-on-v6.

Step 3: Filter Query Responses

Create a new file called /etc/bind/limited-ipv6.conf and add the following at the top:

view "internal-ipv4only" {
        match-destinations { 192.168.1.3; };
        plugin query "filter-aaaa.so" {
                # don't return ipv6 addresses
                filter-aaaa-on-v4 yes;
                filter-aaaa-on-v6 yes;
        };
};

What this block is saying is, if a request comes in on the new address, pass it through the filter-aaaa plugin.

We’re configuring the plugin to filter all AAAA record replies to ipv4 clients (filter-aaaa-on-v4) and ipv6 clients (filter-aaaa-on-v6).

Now add a new block after the first block, or modify your existing default view:

# forward certain domains back to the ipv4-only view
view "internal" {
        include "/etc/bind/local.conf";

        # AAAA zones to ignore
        zone "netflix.com" {
                type forward;
                forward only;
                forwarders { 192.168.1.3; };
        };
};

This is the default view for internal clients. Requests that don’t match preceding views fall through here.

We’re importing the local zone from step 0 (so we don’t have to maintain two copies of the same information), then forwarding all netflix.com look-ups to the new IP address, which will be handled by the internal-ipv4only view.

Step 4: Include the New Configuration File

Modify /etc/bind/named.conf again, so we’re loading the new configuration file (which includes local.conf).

#include "/etc/bind/local.conf";
include "/etc/bind/limited-ipv6.conf";

Restart named after you make this change.

Testing

nslookup can help you test and troubleshoot.

In the example below we call the “normal” service and get both A and AAAA records, but when we call the ipv4-only service we only get A records:

$ nslookup google.com 192.168.1.2
Server:         192.168.1.2
Address:        192.168.1.2#53

Non-authoritative answer:
Name:   google.com
Address: 172.217.3.110
Name:   google.com
Address: 2607:f8b0:4006:803::200e

$ nslookup google.com 192.168.1.3
Server:         192.168.1.3
Address:        192.168.1.3#53

Non-authoritative answer:
Name:   google.com
Address: 172.217.3.110

 

SpeedSnail! Where are you?

I got a fish tank a year or so ago. It’s one of those Back to the Roots garden tanks that support a betta and three plant buckets. We had an alge problem, so we added a snail. He gets around a lot, so we call him the SpeedSnail.

(The fish is Fish Stick. It’s what was for dinner the night we brought him home.)

Yesterday, I noticed that the tank walls were getting a little brown. I decided today was the day to clear the counters and do some maintenance on the tank. The first part of that maintenance is to take out the plant pots.

So, I take out the middle pot. The roots are a little long, but not bad. Take out the far left pot. That one is ew and I may need to invest in new growth rocks. Then comes the one with the spider plant in it. This was an experimental plant. I look in the pot and notice one of the rocks looks strangely smooth. And round.

We collect shells. I have several snail shells from various beaches and our yard. So the obvious first thought is, “who put one of the shells in there?”

Then I look at the tank, and all the alge. I look at the tiger-striped shell in my pot. And SpeedSnail took a quick trip back into the tank.

He must have climbed up the feeding tube, gotten across the rocks, and discovered there was no water up there. He sealed himself up, and waited for the water to come back.

I watched him for a while before I left to meet Quinn for lunch, and spotted him sneaking a peak from inside his shell. When I got back to the house, he was busy hoovering up alge as fast as he could.

So, the snail had an adventure. The tank will get nice and clean again. FishStick can make aggressive moves against a tank-mate that can’t care less about what he’s doing.

All is well.

A project elided

After a few too many close calls, I approached the town about making our street and another into one-way lanes.  A counter-clockwise, 1.7 mile loop around the lake.

SilverLake, Wilmington MA
Silver Lake, bounded by Main, Lake, and Grove

The town said “no” for some very good reasons.  I knew they would, but I had to give it a try.  They paid the courtesy of taking it seriously, giving me a meeting with various officials, and explaining the reasons.

I had put an actual proposal together in case this went further.  I include it here for posterity.  Read it here: Better Traffic Around Silver Lake

Anchors Aweigh!

Living where we do, with a high water table, houses are obligated to have a large hole in the floor of the basement called a “sump“.  For those lucky enough to not know, a sump’s job is to collect groundwater before it seeps up through the floor of the basement.  You then evacuate the water with a pump, colloquially (and quite logically) known as a “sump pump”.

A sump pump is a replaceable part.  The typical lifetime is supposed to be around ten years, give or take.

We last replaced our pump in 2014.  I purchased a replacement unit from “Watchdog” that proclaimed it’s longevity, speed, and reliability.  This is that same unit, a mere five years later:

decrapitated watchdog sump pump
Notice the hole in the side of the housing. It was not there when I purchased and installed the unit.

The unit continued to work in some condition, until it didn’t.  It completely failed during a heavy December rainstorm this weekend.  I came into the basement early Saturday morning to find ankle-deep water on the floor.

Woe unto the person who does not have a water alarm or redundant standby sump pump.  That person would be me.

The pump is now replaced with a unit from a different manufacturer.  Hopefully this one stands up to the elements a little better.  We’re working on a water alarm as well.

Winter, New England Style

Ah, winter in New England. Go home, winter, you’re already drunk and it’s barely December.

Last week we had a snowstorm and we were home-bound for three days.  School was cancelled on Monday and Tuesday.  I worked from home both days and slowly dug out in the afternoons.

Snow on the back deck
We finally leveled out with over a foot of snow

A week later, temperatures reached 60° F.  I was walking around in shorts and flip-flops.  (I might be weird, but you have to admit that it wasn’t weather-inappropriate.)  The clouds dropped two inches of water on us.  With nowhere for the water to go, there are puddles and ponds everywhere.

Last night, the temperature rapidly dropped, the rain turned to snow, and we got a couple or more inches.  At least the end of the day cleared up with some sun.  The snowmelt, which became treacherous as night fell, was downright beautiful for a while.

Ice caught in mid-freeze
This water on the back of my car hadn’t finished freezing when I walked by.

Tonight, as I left the house to take the dog for an icy, slippery walk, I saw signs that we had some visitors during the day.  A hawk snatched a meal from our front yard.  Meghan left our Thanksgiving bundle of corn out for the birds and squirrels; it seems that we’re feeding the whole neighborhood instead.

Imprint of hawk wing in snow
Some small animal and a hawk came to our front yard expecting a meal. Only one of them was disappointed.

By this weekend we’re expecting to be back in the 50s with more rain.  The rollercoaster that is our local weather continues.  Whee!

Its been a while

I haven’t been posting much lately. Lets see what I’ve bee up to:

  • I’ve repaired 6 Chromebooks this week. There will be more tomorrow.
  • Apple is replacing a damaged iPad because I am wicked polite and prepared with documentation.
  • I’m not going up the 20′ ladder. Just no.
  • I’ve finished yet another stocking, except for the name. I’m putting it off because I’m not sure about placement. Probably, I should make it easy to remove and change if they want to.
  • Accidentally ruined my favorite hiking boots.
  • Took some pictures.
  • Knit a hat.
  • Bought Christmas cards. I’ll start filling them out as soon as I’m done with the stocking.

All in all, life has been pretty good!

Perl: Spaces in a function or method name

I accidentally stumbled over an interesting ability/quirk in Perl: a subroutine / function / method name may contain spaces. Since I couldn’t find any info about it in the perlsub man page or on Google I decided to write it down.

It should be obvious that you can’t create such a subroutine by defining it the traditional way, but in case it isn’t: you can’t. Perl will consider the first word to be your subroutine identifier, and the following word(s) to be invalid keywords.

use strict;

sub name With Spaces
{
    print "works!\n"; # liar, doesn't work
}

Illegal declaration of subroutine main::name line 4.

NOTE: the following examples were tested in Perl versions 5.8.8 (circa 2006), 5.14.2 (circa 2011), and 5.28.2 (circa 2019).

To create a method name with a space, you have to manipulate the symbol table directly. (Indeed, I figured it out by accident thanks to an AUTOLOADed method that did that.)

sub AUTOLOAD
{
    my $self = shift;

    ( my $method = $AUTOLOAD ) =~ s{.*::}{};

    if ( exists $self->{_attr}->{ $method } ) {
        my $accessor = sub { return shift->{_attr}->{ $method } };

        {
            no strict 'refs';
            *$AUTOLOAD = $accessor;
        }

        unshift @_ => $self;
        goto &$AUTOLOAD;
    }

    return;
}

Stated more simply:

my $name = "name With Space";
*$name = sub { "works!" }; # insert directly to symbol table

Utilities like Test::Deep “just work” if there’s a space:

cmp_methods( $obj,
             [ 'name With Space' => 'value' ], # not a peep!
             'Basic methods'
            );

ok 1 - Basic Methods

The obvious question, though, is how to access it directly?

You can access a method using a variable, which is a pretty common thing to do on it’s own. (In my experience, anyway, YMMV).

my $name = 'name With Space';
my $value = $obj->$name; # works!

You can also create a reference to a string and immediately deference it.

my $value = $obj->${ \'name With Space' }; # works!

The second example works with regular function calls as well. Here’s a stand-alone example:

use strict;

{
    no strict "refs";
    my $name = "name With Space";
    *$name = sub { "works!" };
}

print ${ \"name With Space" }, "\n";' # prints "works!"

I can’t recommend creating subroutines with spaces in the name as good style, but it’s helpful to know that it can happen and how to work with it when it does.