Skip to content

Instantly share code, notes, and snippets.

@satmandu

satmandu/netflix-dns.sh

Last active January 10, 2021 13:12
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save satmandu/e6ba526505a6a0a12407eb73d95987f2 to your computer and use it in GitHub Desktop.
Save satmandu/e6ba526505a6a0a12407eb73d95987f2 to your computer and use it in GitHub Desktop.
Download ZIP
PfSense script to keep HE tunnels from confusing netflix by blocking netflix IPV6 resolution.
Raw
netflix-dns.sh
#!/bin/sh
#make sure the directory for the python libraries is in the chroot
mkdir -p /var/unbound/usr/local/lib/python2.7
#link the actual python library directory to the chroot's directory
mount -t nullfs /usr/local/lib/python2.7 /var/unbound/usr/local/lib/python2.7
#copy the python script to the /var/unbound directory so
#unbound-checkconf can find it
# This script is originally from https://gist.github.com/FiloSottile/e2cffde2bae1ea0c14eada229543aebd/
cp /root/netflix-no-aaaa.py /var/unbound/
cp /root/netflix-no-aaaa.py /var/unbound/var/unbound/
#create a /var/unbound directory in the /var/unbound directory so that
#unbound can find the script
mkdir -p /var/unbound/var/unbound
@satmandu
Copy link
Author

satmandu commented Jun 5, 2018

The netflix-no-aaaa.py is as follows, via https://gist.github.com/FiloSottile/e2cffde2bae1ea0c14eada229543aebd/

def init(id, cfg):
    return True

def deinit(id):
    return True

def inform_super(id, qstate, superqstate, qdata):
    return True

domains = [
    "netflix.com.",
    "nflxso.net.",
]

def operate(id, event, qstate, qdata):
    if event == MODULE_EVENT_NEW or event == MODULE_EVENT_PASS:
        if qstate.qinfo.qtype != RR_TYPE_AAAA:
            qstate.ext_state[id] = MODULE_WAIT_MODULE
            return True

        for domain in domains:
            if qstate.qinfo.qname_str == domain or qstate.qinfo.qname_str.endswith("." + domain):
                msg = DNSMessage(qstate.qinfo.qname_str, RR_TYPE_A, RR_CLASS_IN, PKT_QR | PKT_RA | PKT_AA)
                if not msg.set_return_msg(qstate):
                    qstate.ext_state[id] = MODULE_ERROR
                    return True
                # We don't need validation, result is valid
                qstate.return_msg.rep.security = 2
                qstate.return_rcode = RCODE_NOERROR
                qstate.ext_state[id] = MODULE_FINISHED
                log_info("no-aaaa: blocking AAAA request for %s" % qstate.qinfo.qname_str)
                return True

        qstate.ext_state[id] = MODULE_WAIT_MODULE
        return True

    if event == MODULE_EVENT_MODDONE:
        qstate.ext_state[id] = MODULE_FINISHED
        return True

    qstate.ext_state[id] = MODULE_ERROR
    return True

log_info("pythonmod: script loaded")

@satmandu
Copy link
Author

satmandu commented Jun 5, 2018
edited

I'm also using the shellcmd plugin as follows to both run the script and enable the python module in unbound.conf and reload the unbound configuration:

/root/netflix-dns.sh earlyshellcmd

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment