IPv6 Tunnel and Netflix - Windows DNS - How Do I solve this?

  • At home, I have a Windows Active Directory network for myself because I host my own email.
    It runs DHCP and DNS.

    DHCP is set to set each client with the DNS server running on the same VM.

    It works.

    It's been slow because Windows uses IPv6 first to communicate and I don't have IPv6. This happened after a recent update.
    I enabled IPv6 tunnel and it worked amazingly.
    The Internet is super fast… very strange.

    The only problem is that my Sister watches Netflix and I heard it gives an error message.

    Someone solved this issue by using BIND on pfSense.
    This is what I need assistance with...

    With Windows DNS, could I set my forwarder to pfSense?
    Then on pfSense, can I set it so that 'Netflix.com uses IPv4' only?

    Someone told me he has done it and followed a guide doing it, but the guide does not show steps.

    It would actually be more beneficial for me to have Windows DNS use my pfSense box as a DNS resolver because I hear you can control more.
    Windows DNS Forwarders are supposed to be DNS servers like BIND, so you can have more granular control.

    So does anyone have any steps/guides/instructions on how I need to set this up?

    Windows DNS > to pfSense - but what does pfSense run? Resolver? Forwarder?

    I'm just playing with IPv6 - nothing major. I'm enjoy it so far. I don't know if it's because my Windows PC finally feels relieved that it has an IPv6 address, OR if IPv6 is really that fast...

  • If you are running windows AD, your clients must use the windows AD DNS servers for things to work properly.
    However, if you want pfSense to have a hand in name resolution, you can set the windows AD DNS servers to forward their DNS requests beyond what they know about to pfSense.
    You can set this under DNS server properties, Forwarders tab.
    Then on pfSense you can either use the forwarder to send to your favorite DNS host, like OpenDNS, etc, or use the resolver to allow it to do all resolutions.

    But back to your initial problem.  Netflix.com publishes both A and AAAA records in their DNS.  The AAAA records are used for IPv6 address resolution, and both types of records are returned by the DNS queries regardless of whether or not you are using IPv4 or IPv6.  What you are looking to do appears to be to modify the returned result.  That's a tougher nut to crack.
    In addition, Windows prefers IPv6 over IPv4, in fact, any OS will prefer IPv6, because that is what the powers that be have all agreed upon, however, there are ways to alter this behaviour, but it differs by OS.
    So because Netflix.com DNS queries will return both IPv4 and IPv6 addresses, your clients will use the IPv6 addresses if they have IPv6 connectivity, problem is that because you are using a tunnel mechanism to get your IPv6 connectivity, as am I and I have this exact issue, Netflix blocks this type of usage, because you could easily circumvent Netflix's country geofencing.

    You could remove IPv6 support from the Netflix client(s), or put the Netflix client(s) on a VLAN that doesn't have IPv6 running.  I have chosen the later, and it works reliably.

  • I used another approach - as discussed on this forum.

    My "20 million clients - biggest ISP in Europe - let's call it 'Orange' " isn't really IPv6 ready yet. They are during the last 7 years in some sort of "test phase".
    So, I use he.net - supported by pfSense out of the box.
    Thus, I have a WAN interface for IPv4 traffic and the IPv6-tunnel to a server from he.net (in Paris for me).
    netflix doesn't like the IPv6 range I obtain from he.net. Or, said differently : the IPv6 I obtain is gelocated as "USA". netflix says : no good. Your "French" - stay in France.

    So, what I did :
    I grabbed all known IPv6 that netflix is using (their streaming servers) :
    2a01:578:3:: /48
    2406:da00:ff00:: /48
    2607:f8b0:4001:: /48
    2620:108:700f:: /48
    and put them into an alias.
    And use this alias on my LAN interface to block all IPv6 traffic that goes to these IPv6 ranges.

    This forces all netflix clients on my LAN to use IPv4 ….

    Works fine for me ™

    Btw : I know, this isn't the 'best' solution (I'm locking out many IPv6 that might not be owned by netflix but had not any troubles yet).

  • Merci, une excellente suggestion!

  • Pas de quoi.

  • Just wanted to say that I implemented Gertjan's suggestion, and it works great!

    Btw : I know, this isn't the 'best' solution (I'm locking out many IPv6 that might not be owned by netflix but had not any troubles yet).

    Actually, those prefixes appear to be sub-allocated to Netflix from AWS (but they aren't maintaining rwhois), and appear to only belong to Netflix, so I don't think it will impact much else at the present time.

Log in to reply