Netflix & HE.net tunnel fix using unbound python module revisited.



  • Re: Netflix and HE.net tunnel fixed using Unbound python module

    I'm on the 2.4.4-DEVELOPMENT series and here's my working setup.

    Note that you need python loaded by unbound, which you can do by installing the system_patches package and adding this patch:

    https://github.com/twitched/pfsense/commit/1ff1605e8d2e2c9f87aac489fd7af7a407b3440c

    (Thanks to @Grimson for pointing out that this was mentioned in the original thread on the topic.)

    Here are my DNS Resolver custom options:

    qname-minimisation: yes
    python:
    python-script: /var/unbound/netflix-no-aaaa.py
    

    Also, this requires two files in /root/: netflix-no-aaaa.py & netflix-dns.sh

    netflix-dns.sh

    #!/bin/sh
    
    
    #make sure the directory for the python libraries is in the chroot
    mkdir -p /var/unbound/usr/local/lib/python2.7
    
    #link the actual python library directory to the chroot's directory
    mount -t nullfs /usr/local/lib/python2.7 /var/unbound/usr/local/lib/python2.7
    
    #copy the python script to the /var/unbound directory so
    #unbound-checkconf can find it
    # This script is originally from https://gist.github.com/FiloSottile/e2cffde2bae1ea0c14eada229543aebd/
    cp /root/netflix-no-aaaa.py /var/unbound/
    cp /root/netflix-no-aaaa.py /var/unbound/var/unbound/
    
    #create a /var/unbound directory in the /var/unbound directory so that
    #unbound can find the script
    mkdir -p /var/unbound/var/unbound
    

    netflix-no-aaaa.py

    def init(id, cfg):
        return True
    
    def deinit(id):
        return True
    
    def inform_super(id, qstate, superqstate, qdata):
        return True
    
    domains = [
        "netflix.com.",
        "nflxso.net.",
    ]
    
    def operate(id, event, qstate, qdata):
        if event == MODULE_EVENT_NEW or event == MODULE_EVENT_PASS:
            if qstate.qinfo.qtype != RR_TYPE_AAAA:
                qstate.ext_state[id] = MODULE_WAIT_MODULE
                return True
    
            for domain in domains:
                if qstate.qinfo.qname_str == domain or qstate.qinfo.qname_str.endswith("." + domain):
                    msg = DNSMessage(qstate.qinfo.qname_str, RR_TYPE_A, RR_CLASS_IN, PKT_QR | PKT_RA | PKT_AA)
                    if not msg.set_return_msg(qstate):
                        qstate.ext_state[id] = MODULE_ERROR
                        return True
                    # We don't need validation, result is valid
                    qstate.return_msg.rep.security = 2
                    qstate.return_rcode = RCODE_NOERROR
                    qstate.ext_state[id] = MODULE_FINISHED
                    log_info("no-aaaa: blocking AAAA request for %s" % qstate.qinfo.qname_str)
                    return True
    
            qstate.ext_state[id] = MODULE_WAIT_MODULE
            return True
    
        if event == MODULE_EVENT_MODDONE:
            qstate.ext_state[id] = MODULE_FINISHED
            return True
    
        qstate.ext_state[id] = MODULE_ERROR
        return True
    
    log_info("pythonmod: script loaded")
    

    I'm also using the shellcmd plugin as follows to run the script:

    /root/netflix-dns.sh earlyshellcmd
    

    In any case, I'm saving a backup of this information here: https://gist.github.com/satmandu/e6ba526505a6a0a12407eb73d95987f2



  • Some questions not yet answered:

    Is there a good way to store these scripts in the pfsense configuration so that if I do a backup and restore I still have them as part of a single backup xml file?

    (Is a system patch and the system patch package the proper way to do this?)



  • @satadru said in Netflix & HE.net tunnel fix using unbound python module revisited.:

    Is there a better way to reload unbound without overwriting unbound.conf?

    Is there a better way to include the python module in the unbound.conf?

    Use the System Patches Package with the patch from the original thread.



  • @grimson

    ...

    And it occurs to me that there is a System Patches Package.

    Thanks for that. 😔

    Sigh.



  • @satadru said in Netflix & HE.net tunnel fix using unbound python module revisited.:

    qname-minimisation: yes

    with this option added my configuration cannot be applied, had to remove it, running 2.4.3-RELEASE-p1

    cp /root/netflix-no-aaaa.py /var/unbound/var/unbound/
    ...
    mkdir -p /var/unbound/var/unbound
    

    do you create a directory after you try to put a file in it?

    Anyway, thanks a lot for this writeup, that solved my issue.



  • @andrewz You're right that totally makes no sense.

    I'd try putting it above the cp lines and see if that works fine.

    If you retain your /var directory (don't store it in ram) it's going to work anyways on the second reboot.

    I think qname-minimization also conflicts with some other DNS settings, which I don't have enabled, so it works for me.

    For what it is worth I discovered that the System Patches plugin doesn't actually apply the patch after a system update, so you're going to have to apply it manually after each update install.

    Also,

    I modified my netflix-dns.sh script and just created a cron job as follows:

    @reboot /root/netflix-dns.sh
    

    (I'm not using the shellcmd plugin any more.)

    Here's the current netflix-dns.sh:

    #!/bin/sh
    
    #make sure the directory for the python libraries is in the chroot
    mkdir -p /var/unbound/usr/local/lib/python2.7
    
    #link the actual python library directory to the chroot's directory
    mount -t nullfs /usr/local/lib/python2.7 /var/unbound/usr/local/lib/python2.7
    
    #create a /var/unbound directory in the /var/unbound directory so that
    #unbound can find the script
    mkdir -p /var/unbound/var/unbound
    
    #copy the python script to the /var/unbound directory so
    #unbound-checkconf can find it
    cp /root/netflix-no-aaaa.py /var/unbound/
    cp /root/netflix-no-aaaa.py /var/unbound/var/unbound/
    
    #create a /var/unbound directory in the /var/unbound directory so that
    #unbound can find the script
    #mkdir -p /var/unbound/var/unbound
    /usr/local/sbin/pfSsh.php playback svc restart unbound
    

    Note that the last line restarts unbound, since I've discovered that with timing of the script running, it is best to force unbound to restart to make sure that the symlinking for python is done before unbound starts. (Otherwise it might not start.)



  • @satadru said in Netflix & HE.net tunnel fix using unbound python module revisited.:

    Note that the last line restarts unbound, since I’ve discovered that with timing of the script running, it is best to force unbound to restart to make sure that the symlinking for python is done before unbound starts. (Otherwise it might not start.)

    thanks for that, will check later on