• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Netflix & HE.net tunnel fix using unbound python module revisited.

Scheduled Pinned Locked Moved IPv6
7 Posts 3 Posters 2.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    satadru
    last edited by satadru Jun 6, 2018, 2:15 PM Jun 5, 2018, 3:45 PM

    Re: Netflix and HE.net tunnel fixed using Unbound python module

    I'm on the 2.4.4-DEVELOPMENT series and here's my working setup.

    Note that you need python loaded by unbound, which you can do by installing the system_patches package and adding this patch:

    https://github.com/twitched/pfsense/commit/1ff1605e8d2e2c9f87aac489fd7af7a407b3440c

    (Thanks to @Grimson for pointing out that this was mentioned in the original thread on the topic.)

    Here are my DNS Resolver custom options:

    qname-minimisation: yes
    python:
    python-script: /var/unbound/netflix-no-aaaa.py
    

    Also, this requires two files in /root/: netflix-no-aaaa.py & netflix-dns.sh

    netflix-dns.sh

    #!/bin/sh
    
    
    #make sure the directory for the python libraries is in the chroot
    mkdir -p /var/unbound/usr/local/lib/python2.7
    
    #link the actual python library directory to the chroot's directory
    mount -t nullfs /usr/local/lib/python2.7 /var/unbound/usr/local/lib/python2.7
    
    #copy the python script to the /var/unbound directory so
    #unbound-checkconf can find it
    # This script is originally from https://gist.github.com/FiloSottile/e2cffde2bae1ea0c14eada229543aebd/
    cp /root/netflix-no-aaaa.py /var/unbound/
    cp /root/netflix-no-aaaa.py /var/unbound/var/unbound/
    
    #create a /var/unbound directory in the /var/unbound directory so that
    #unbound can find the script
    mkdir -p /var/unbound/var/unbound
    

    netflix-no-aaaa.py

    def init(id, cfg):
        return True
    
    def deinit(id):
        return True
    
    def inform_super(id, qstate, superqstate, qdata):
        return True
    
    domains = [
        "netflix.com.",
        "nflxso.net.",
    ]
    
    def operate(id, event, qstate, qdata):
        if event == MODULE_EVENT_NEW or event == MODULE_EVENT_PASS:
            if qstate.qinfo.qtype != RR_TYPE_AAAA:
                qstate.ext_state[id] = MODULE_WAIT_MODULE
                return True
    
            for domain in domains:
                if qstate.qinfo.qname_str == domain or qstate.qinfo.qname_str.endswith("." + domain):
                    msg = DNSMessage(qstate.qinfo.qname_str, RR_TYPE_A, RR_CLASS_IN, PKT_QR | PKT_RA | PKT_AA)
                    if not msg.set_return_msg(qstate):
                        qstate.ext_state[id] = MODULE_ERROR
                        return True
                    # We don't need validation, result is valid
                    qstate.return_msg.rep.security = 2
                    qstate.return_rcode = RCODE_NOERROR
                    qstate.ext_state[id] = MODULE_FINISHED
                    log_info("no-aaaa: blocking AAAA request for %s" % qstate.qinfo.qname_str)
                    return True
    
            qstate.ext_state[id] = MODULE_WAIT_MODULE
            return True
    
        if event == MODULE_EVENT_MODDONE:
            qstate.ext_state[id] = MODULE_FINISHED
            return True
    
        qstate.ext_state[id] = MODULE_ERROR
        return True
    
    log_info("pythonmod: script loaded")
    

    I'm also using the shellcmd plugin as follows to run the script:

    /root/netflix-dns.sh earlyshellcmd
    

    In any case, I'm saving a backup of this information here: https://gist.github.com/satmandu/e6ba526505a6a0a12407eb73d95987f2

    A 1 Reply Last reply Jun 15, 2018, 5:40 PM Reply Quote 0
    • S
      satadru
      last edited by satadru Jun 6, 2018, 2:15 PM Jun 5, 2018, 3:47 PM

      Some questions not yet answered:

      Is there a good way to store these scripts in the pfsense configuration so that if I do a backup and restore I still have them as part of a single backup xml file?

      (Is a system patch and the system patch package the proper way to do this?)

      G 1 Reply Last reply Jun 6, 2018, 1:36 PM Reply Quote 0
      • G
        Grimson Banned @satadru
        last edited by Jun 6, 2018, 1:36 PM

        @satadru said in Netflix & HE.net tunnel fix using unbound python module revisited.:

        Is there a better way to reload unbound without overwriting unbound.conf?

        Is there a better way to include the python module in the unbound.conf?

        Use the System Patches Package with the patch from the original thread.

        S 1 Reply Last reply Jun 6, 2018, 1:59 PM Reply Quote 1
        • S
          satadru @Grimson
          last edited by Jun 6, 2018, 1:59 PM

          @grimson

          ...

          And it occurs to me that there is a System Patches Package.

          Thanks for that. 😔

          Sigh.

          1 Reply Last reply Reply Quote 0
          • A
            AndrewZ @satadru
            last edited by Jun 15, 2018, 5:40 PM

            @satadru said in Netflix & HE.net tunnel fix using unbound python module revisited.:

            qname-minimisation: yes

            with this option added my configuration cannot be applied, had to remove it, running 2.4.3-RELEASE-p1

            cp /root/netflix-no-aaaa.py /var/unbound/var/unbound/
            ...
            mkdir -p /var/unbound/var/unbound
            

            do you create a directory after you try to put a file in it?

            Anyway, thanks a lot for this writeup, that solved my issue.

            S 1 Reply Last reply Jun 15, 2018, 7:20 PM Reply Quote 0
            • S
              satadru @AndrewZ
              last edited by Jun 15, 2018, 7:20 PM

              @andrewz You're right that totally makes no sense.

              I'd try putting it above the cp lines and see if that works fine.

              If you retain your /var directory (don't store it in ram) it's going to work anyways on the second reboot.

              I think qname-minimization also conflicts with some other DNS settings, which I don't have enabled, so it works for me.

              For what it is worth I discovered that the System Patches plugin doesn't actually apply the patch after a system update, so you're going to have to apply it manually after each update install.

              Also,

              I modified my netflix-dns.sh script and just created a cron job as follows:

              @reboot /root/netflix-dns.sh
              

              (I'm not using the shellcmd plugin any more.)

              Here's the current netflix-dns.sh:

              #!/bin/sh
              
              #make sure the directory for the python libraries is in the chroot
              mkdir -p /var/unbound/usr/local/lib/python2.7
              
              #link the actual python library directory to the chroot's directory
              mount -t nullfs /usr/local/lib/python2.7 /var/unbound/usr/local/lib/python2.7
              
              #create a /var/unbound directory in the /var/unbound directory so that
              #unbound can find the script
              mkdir -p /var/unbound/var/unbound
              
              #copy the python script to the /var/unbound directory so
              #unbound-checkconf can find it
              cp /root/netflix-no-aaaa.py /var/unbound/
              cp /root/netflix-no-aaaa.py /var/unbound/var/unbound/
              
              #create a /var/unbound directory in the /var/unbound directory so that
              #unbound can find the script
              #mkdir -p /var/unbound/var/unbound
              /usr/local/sbin/pfSsh.php playback svc restart unbound
              

              Note that the last line restarts unbound, since I've discovered that with timing of the script running, it is best to force unbound to restart to make sure that the symlinking for python is done before unbound starts. (Otherwise it might not start.)

              A 1 Reply Last reply Jun 15, 2018, 7:38 PM Reply Quote 0
              • A
                AndrewZ @satadru
                last edited by Jun 15, 2018, 7:38 PM

                @satadru said in Netflix & HE.net tunnel fix using unbound python module revisited.:

                Note that the last line restarts unbound, since I’ve discovered that with timing of the script running, it is best to force unbound to restart to make sure that the symlinking for python is done before unbound starts. (Otherwise it might not start.)

                thanks for that, will check later on

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received