Netflix & HE.net tunnel fix using unbound python module revisited.
-
Re: Netflix and HE.net tunnel fixed using Unbound python module
I'm on the 2.4.4-DEVELOPMENT series and here's my working setup.
Note that you need python loaded by unbound, which you can do by installing the system_patches package and adding this patch:
https://github.com/twitched/pfsense/commit/1ff1605e8d2e2c9f87aac489fd7af7a407b3440c
(Thanks to @Grimson for pointing out that this was mentioned in the original thread on the topic.)
Here are my DNS Resolver custom options:
qname-minimisation: yes python: python-script: /var/unbound/netflix-no-aaaa.py
Also, this requires two files in /root/: netflix-no-aaaa.py & netflix-dns.sh
netflix-dns.sh
#!/bin/sh #make sure the directory for the python libraries is in the chroot mkdir -p /var/unbound/usr/local/lib/python2.7 #link the actual python library directory to the chroot's directory mount -t nullfs /usr/local/lib/python2.7 /var/unbound/usr/local/lib/python2.7 #copy the python script to the /var/unbound directory so #unbound-checkconf can find it # This script is originally from https://gist.github.com/FiloSottile/e2cffde2bae1ea0c14eada229543aebd/ cp /root/netflix-no-aaaa.py /var/unbound/ cp /root/netflix-no-aaaa.py /var/unbound/var/unbound/ #create a /var/unbound directory in the /var/unbound directory so that #unbound can find the script mkdir -p /var/unbound/var/unbound
netflix-no-aaaa.py
def init(id, cfg): return True def deinit(id): return True def inform_super(id, qstate, superqstate, qdata): return True domains = [ "netflix.com.", "nflxso.net.", ] def operate(id, event, qstate, qdata): if event == MODULE_EVENT_NEW or event == MODULE_EVENT_PASS: if qstate.qinfo.qtype != RR_TYPE_AAAA: qstate.ext_state[id] = MODULE_WAIT_MODULE return True for domain in domains: if qstate.qinfo.qname_str == domain or qstate.qinfo.qname_str.endswith("." + domain): msg = DNSMessage(qstate.qinfo.qname_str, RR_TYPE_A, RR_CLASS_IN, PKT_QR | PKT_RA | PKT_AA) if not msg.set_return_msg(qstate): qstate.ext_state[id] = MODULE_ERROR return True # We don't need validation, result is valid qstate.return_msg.rep.security = 2 qstate.return_rcode = RCODE_NOERROR qstate.ext_state[id] = MODULE_FINISHED log_info("no-aaaa: blocking AAAA request for %s" % qstate.qinfo.qname_str) return True qstate.ext_state[id] = MODULE_WAIT_MODULE return True if event == MODULE_EVENT_MODDONE: qstate.ext_state[id] = MODULE_FINISHED return True qstate.ext_state[id] = MODULE_ERROR return True log_info("pythonmod: script loaded")
I'm also using the shellcmd plugin as follows to run the script:
/root/netflix-dns.sh earlyshellcmd
In any case, I'm saving a backup of this information here: https://gist.github.com/satmandu/e6ba526505a6a0a12407eb73d95987f2
-
Some questions not yet answered:
Is there a good way to store these scripts in the pfsense configuration so that if I do a backup and restore I still have them as part of a single backup xml file?
(Is a system patch and the system patch package the proper way to do this?)
-
@satadru said in Netflix & HE.net tunnel fix using unbound python module revisited.:
Is there a better way to reload unbound without overwriting unbound.conf?
Is there a better way to include the python module in the unbound.conf?
Use the System Patches Package with the patch from the original thread.
-
-
@satadru said in Netflix & HE.net tunnel fix using unbound python module revisited.:
qname-minimisation: yes
with this option added my configuration cannot be applied, had to remove it, running 2.4.3-RELEASE-p1
cp /root/netflix-no-aaaa.py /var/unbound/var/unbound/ ... mkdir -p /var/unbound/var/unbound
do you create a directory after you try to put a file in it?
Anyway, thanks a lot for this writeup, that solved my issue.
-
@andrewz You're right that totally makes no sense.
I'd try putting it above the cp lines and see if that works fine.
If you retain your /var directory (don't store it in ram) it's going to work anyways on the second reboot.
I think qname-minimization also conflicts with some other DNS settings, which I don't have enabled, so it works for me.
For what it is worth I discovered that the System Patches plugin doesn't actually apply the patch after a system update, so you're going to have to apply it manually after each update install.
Also,
I modified my netflix-dns.sh script and just created a cron job as follows:
@reboot /root/netflix-dns.sh
(I'm not using the shellcmd plugin any more.)
Here's the current netflix-dns.sh:
#!/bin/sh #make sure the directory for the python libraries is in the chroot mkdir -p /var/unbound/usr/local/lib/python2.7 #link the actual python library directory to the chroot's directory mount -t nullfs /usr/local/lib/python2.7 /var/unbound/usr/local/lib/python2.7 #create a /var/unbound directory in the /var/unbound directory so that #unbound can find the script mkdir -p /var/unbound/var/unbound #copy the python script to the /var/unbound directory so #unbound-checkconf can find it cp /root/netflix-no-aaaa.py /var/unbound/ cp /root/netflix-no-aaaa.py /var/unbound/var/unbound/ #create a /var/unbound directory in the /var/unbound directory so that #unbound can find the script #mkdir -p /var/unbound/var/unbound /usr/local/sbin/pfSsh.php playback svc restart unbound
Note that the last line restarts unbound, since I've discovered that with timing of the script running, it is best to force unbound to restart to make sure that the symlinking for python is done before unbound starts. (Otherwise it might not start.)
-
@satadru said in Netflix & HE.net tunnel fix using unbound python module revisited.:
Note that the last line restarts unbound, since I’ve discovered that with timing of the script running, it is best to force unbound to restart to make sure that the symlinking for python is done before unbound starts. (Otherwise it might not start.)
thanks for that, will check later on