Obsah

Filter IPv6 records on Turris Omnia

Due to the lack of IPv6 connectivity by my local ISP, I am using IPv6 tunnel service from Hurricane Electric. But since Netflix introduced their proxy filtering feature HE’s service is banned. Because of this I needed to force network devices to use good old IPv4 for any Netflix related traffic without giving up on IPv6 completely.

Turris Omnia is by default using Knot Resolver as DNS server and I wasn't able to find any quick way how to create a policy that would filter only AAAA records for the selected domain so as a workaround I started BIND9 instance that can do that easily and forwarded netflix.com domain to that BIND instance from Kresd.

Set up BIND9

Install the server 

opkg install bind-rndc bind-server bind-server-filter-aaaa

Replace /etc/bind/named.conf with this minimal configuration that filters AAAA:

/etc/bind/named.conf
plugin query "/usr/lib/bind/filter-aaaa.so" {
  filter-aaaa-on-v4 yes;
  filter-aaaa-on-v6 yes;
};

options {
    directory "/tmp";

    forwarders {
         127.0.0.1;
    };
    forward only;

    auth-nxdomain no;
    // run bind on the local loopback interface only and listen on port 2053
    listen-on port 2053 { 127.0.0.1; };
    listen-on-v6 port 2053 { ::1; };

    allow-query { any; }; // If running a on a public IP
    allow-recursion { any; }; // If running a on a public IP
    allow-query-cache { any; }; // If running a on a public IP
};

Enable BIND9 at boot 

/etc/init.d/named enable

And start it 

/etc/init.d/named start

</code>

Create kresd forwarding rule

Just create netflix.conf file in /etc/kresd directory with this content:

/etc/kresd/netflix.conf
local netflix_rule = policy.add(policy.suffix(policy.FORWARD('127.0.0.1@2053'), policy.todnames({'netflix.com'})))
policy.del(netflix_rule.id)
table.insert(policy. Rules, 1, netflix_rule)

Configure Kresd

In /etc/config/resolver configuration file at kresd section add new line that will load /etc/kresd/netflix.conf config file like here: 

config resolver 'kresd'
        option include_config '/etc/kresd/netflix.conf'

And now just restart kresd to use new configuration 

/etc/init.d/kresd restart

Test it

BIND output 

dig @localhost -p 2053 netflix.com AAAA

Kresd output 

dig @localhost -p 53 netflix.com AAAA

Google DNS output 

dig @8.8.8.8 -p 53 netflix.com AAAA

If everything works correctly in first two outputs you should not see any AAAA records.

Happy Netflix watching while using IPv6 elsewhere!

Sources

  1. https://www.ploek.org/post/netflix_openwrt/
  2. https://gist.github.com/jamesmacwhite/6a642cb6bad00c5cefa91ec3d742e2a6
  3. https://openwrt.org/docs/guide-user/services/dns/bind-server-filter-aaaa