Hi guys,
Is anyone successfully whitelisting Netflix domains anymore? Wendell made a video on it 2 years ago, but that list of domains he provided no longer work. I managed to fix it for a while by adding ‘secure.netflix.com’ to the list of domains, but that again no longer works in 2019.
I’m using openvpn as the main connection for LAN, so I am trying to send Netflix traffic around the VPN connection.
I’ve temporarily resorted to setting my firetvstick to a fixed IP and routing all of its traffic to the wan gateway instead of openvpn, but this seems like a vein solution, I’d prefer to have Amazon Alexa not know my personal IP and location.
I swear I am missing just one domain. That was the fix in 2018.
You can do a packet capture in pfsense while trying to access Netflix and then use wireshark to look for dns requests from the Netflix client, that will let you see what domains it’s trying to connect to.
1 Like
I will try that and report back here, thank you!
Domains or IP?
Have you tried to capture netflix IP ranges and route this traffic outside the tunnel?
https://ipinfo.io/AS2906
https://ipinfo.io/AS55095
https://ipinfo.io/AS40027
I’m specifically looking for domains. It seems counterintuitive to block ip ranges since those change on the daily
The problem is that using a firewall to control this means you have to use IP addresses. The alias function in pfsense is just doing a periodic lookup of the IP for the domain, this could be different when the netflix client looks up the same domain name. Depending on the complexity of things like CDNs and how their DNS works it may not even be possible to control it this way.
What addresses change? Netflix rotates the addresses of its front servers? I’m talking about intercepting all three ASNs … as long as address rotation is based on ASN address pools, nothing will get out of the rule, unless they use an address outside the ASN pool.
If you create rules that capture all pool ranges belonging to the indicated ASN, there is no chance that you will not catch this network traffic. Unless netflix uses other ASN to promote, for example, a foreign CDN, then a gap is created and such network traffic gets in but otherwise you will catch everything and redirect to the appropriate interface …
In this way, you can even sweep out all the traffic for example for AT&T if you go to the trouble of recognizing the right ASN and address pool. I don’t see much of a problem to do it for netflix, unless there are a lot of external ASNs involved, then it does the hard work.
1 Like
