Netflix and HE tunnel broker

JonathanLee

Has anyone tried this before

#======================
# Server-wide settings
#======================
server:
    do-not-query-localhost: no
    private-domain: "home.arpa local internal.local guest.home.arpa"

    #======================
    # Block Apple Private Relay
    # (reduces log flood, devices back off gracefully)
    #======================
    local-zone: "mask-h2.icloud.com" always_nxdomain
    local-zone: "mask.icloud.com" always_nxdomain
    local-zone: "mask-canary.icloud.com" always_nxdomain
    local-zone: "appleid.cdn-apple.com" always_nxdomain
    local-zone: "mask-api.icloud.com" always_nxdomain

    #======================
    # Block Windows Teredo / DoH bypass
    # (forces Windows to use your network properly)
    #======================
    local-zone: "teredo.ipv6.microsoft.com" always_nxdomain
    local-zone: "win10.ipv6.microsoft.com" always_nxdomain
    local-zone: "dns.msftncsi.com" always_nxdomain
    local-zone: "ipv6.msftncsi.com" always_nxdomain
    local-zone: "win11.ipv6.microsoft.com" always_nxdomain
    local-zone: "doh.cq0.co" always_nxdomain

    #======================
    # Force Netflix IPv4 only
    #======================

    # Main domains & CDN
    local-zone: "netflix.com" typetransparent
    local-zone: "*.netflix.com" typetransparent
    local-zone: "netflix.net" typetransparent
    local-zone: "*.netflix.net" typetransparent
    local-zone: "nflxvideo.net" typetransparent
    local-zone: "*.nflxvideo.net" typetransparent
    local-zone: "nflxso.net" typetransparent
    local-zone: "*.nflxso.net" typetransparent
    local-zone: "nflxext.com" typetransparent
    local-zone: "*.nflxext.com" typetransparent

    # FTL / Streaming endpoints
    local-zone: "ios.prod.ftl.netflix.com" typetransparent
    local-zone: "ios26.push.prod.netflix.com" typetransparent
    local-zone: "ios26.ws.prod.cloud.netflix.com" typetransparent

    # Telemetry & internal services
    local-zone: "ichnaea-web.netflix.com" typetransparent
    local-zone: "logs.netflix.com" typetransparent
    local-zone: "api.netflix.com" typetransparent
    local-zone: "dradis.netflix.com" typetransparent

    # Force IPv4 only by nulling AAAA records
    local-data: "netflix.com. AAAA ::"
    local-data: "www.netflix.com. AAAA ::"
    local-data: "netflix.net. AAAA ::"
    local-data: "nflxvideo.net. AAAA ::"
    local-data: "nflxso.net. AAAA ::"
    local-data: "nflxext.com. AAAA ::"
    local-data: "ios.prod.ftl.netflix.com. AAAA ::"
    local-data: "ios26.push.prod.netflix.com. AAAA ::"
    local-data: "ios26.ws.prod.cloud.netflix.com. AAAA ::"
    local-data: "api.netflix.com. AAAA ::"
    local-data: "dradis.netflix.com. AAAA ::"
    local-data: "ichnaea-web.netflix.com. AAAA ::"
    local-data: "logs.netflix.com. AAAA ::"

    #======================
    # Google core
    #======================
    dns64-ignore-aaaa: google.com
    dns64-ignore-aaaa: *.google.com
    dns64-ignore-aaaa: googleapis.com
    dns64-ignore-aaaa: *.googleapis.com
    dns64-ignore-aaaa: googleusercontent.com
    dns64-ignore-aaaa: *.googleusercontent.com

    #======================
    # YouTube (CRITICAL for HE tunnels)
    #======================
    dns64-ignore-aaaa: googlevideo.com
    dns64-ignore-aaaa: *.googlevideo.com
    dns64-ignore-aaaa: youtube.com
    dns64-ignore-aaaa: *.youtube.com
    dns64-ignore-aaaa: youtubei.googleapis.com
    dns64-ignore-aaaa: ytimg.com
    dns64-ignore-aaaa: *.ytimg.com
    dns64-ignore-aaaa: ggpht.com
    dns64-ignore-aaaa: *.ggpht.com
    dns64-ignore-aaaa: gvt1.com
    dns64-ignore-aaaa: *.gvt1.com

    #======================
    # Tubi
    #======================
    dns64-ignore-aaaa: tubi.io
    dns64-ignore-aaaa: *.tubi.io
    dns64-ignore-aaaa: tubitv.com
    dns64-ignore-aaaa: *.tubitv.com
    dns64-ignore-aaaa: tubi.video
    dns64-ignore-aaaa: *.tubi.video

luckman212

@JonathanLee does the version of Unbound shipped with pfSense even have the dns64 module compiled in? If you put

server:
    module-config: "dns64 validator iterator"

...in your Unbound custom options, does it save & result in a working resolver?

patient0

@luckman212 said in Netflix and HE tunnel broker:

Unbound shipped with pfSense even have the dns64 module compiled in

Of course it has, how else would you be able to enable 'DNS64 Support' in the DNS Resolver / Advanced Settings'?

luckman212

@patient0 ah ok, sorry It was late and I posted that from my phone. I don't use that option and so wasn't familiar with it.

I'll switch back to watching this thread. I haven't tried the dns64-ignore-aaaa directive. But if it works to selectively mask AAAA responses from certain domains I'm also interested. I do use an HENET tunnelbroker for my IPv6 currently because Verizon hasn't deployed native V6 on their 2gig NG-PON2 network (they are terrible)

For the last year or so, I've been using a Python module I wrote that filters out V6 responses. It allows exceptions via a custom config file so e.g. I can still run things like https://test-ipv6.com and score a 10/10.

Gertjan

@JonathanLee

It's known : Netflix + IPv6 + he.net as your IPv6 ISP : Netflix doesn't like these IPv6 connections as it sees your IPv6 ISP (he.net) as a VPN.

What to do ?
If you have pfBlockerng :
Check "No AAAA" and enter line by line all the host names for which you don't want to resolve to AAAA - so just A :

and done.
( do a pfBlockerng DNSBL force reload )

JonathanLee

What I don’t understand is why Netflix singles out HE tunnels. Other services like Disney+, Hulu, Tubi, and Amazon see the endpoint in California and work normally. It feels like Netflix is the only one making this an issue. It almost feels like a legacy IPv4 mindset rather than something actually related to the tunnel. They want Native but not everyone has native ipv6

luckman212

@JonathanLee I agree it's an annoyance, I've had to work around it myself. But I assume it's because if e.g. someone in Iran spun up an HE.net IPv6 tunnel and tried to access Netflix using it, how would Netflix know that person's physical location?

Gertjan

@JonathanLee said in Netflix and HE tunnel broker:

why Netflix

Easy. Because they (Netflix) can. But there are consequences, as if you bother subscriber enough, they tend to cancel. The others ones you mentioned have to fight for every subscriber, and they just accept a little, potential "account abuse".

Back in the days I used Netflix over he.net, it didn't worked either. bbcan wrote the pfBlockerng-python-mode solution in an afternoon and everything was ok : IPv6 everywhere and Netflix was accessed over IPv4 == my ISP.
I don't recall the others, but it wasn't only Netflix. There were web sites with broken IPv6 access. IPv6 peering among French ISp's wasn't famous (we have the ISP called Free here in France, the owner was sited before the Senate in US for reasons ^^)

@JonathanLee said in Netflix and HE tunnel broker:

legacy IPv4 mindset

Netflix, as any other (most ?) content supplier, wants to know where you connect from, for their reasons.
With an he.net access, this info isn't known. You know that, I do also, and they know it also.
In the past, when I used the Netflix account of my brother, living in another country, I had access to other movies ... As soon as you understand why, you have your question answered.
Ipv6 by itself isn't an issue. Netflix is using Ipv6 days, except for the users who still use the legacy IPv4. These days, the majority of my Internet traffic is IPv6, this included Netflix, and IPv4 is only used for places where the IPv4 still rules, like web sites in the US. This is about to change, though.

Just for the fun : can you check who finances FreeBSD, the OS ? ^^

Btw : Just my explanation of course. I'm not working for them. I did have the pleasure to talk to a Netflix employee who explained me "how many accounts are there" and "how many different IP addresses (and from where)" were accessing their services at a given moment.
It was a 1 to 3 ratio. So they decided to do something about it. The easiest solution was : for example : French Netflix account access will be accepted when the access comes from a French ISP networks (only). Guess what : he.net is probably not listed or considered as a French ISP, even if they have a POP in France. I could even go to China, and use that French he.net POP ...

JonathanLee

@Gertjan wow… I just assumed they had the ability to see my HE tunnel is from California it’s in California we canceled Netflix the for a year because of this issue, Apple TV, Hulu, Disney plus and Amazon know it’s a California address but Netflix couldn’t figure a way to do that … something they are doing seems a bit outdated to me. They got me hooked again after they sent a come back deal with it like 25 percent of what we use to pay and it is working now with that adjustment.

Gertjan

@JonathanLee said in Netflix and HE tunnel broker:

I just assumed they had the ability to see my HE tunnel is from California

And that's what they 'see'. The IPv6 /64 and /48 he.net gave you. These are the actual IPv6 addresses your equipment is using as he.net gives you a static IPv6 setup. The thing is : these IPv6 networks a maybe mapped to the geo position of the POP, but nothing is known about where you are connecting from.
The thing is : I was also using that "California" he.net POP, but I connected from France For a while I had the US content of Netflix. That didn't last for long though ...
And that's the issue : no one can see from where I really connect, so he.net behaves like a VPN.
And Netflix doesn't want you - it's in the contract you have with them - to use a VPN to access their services.

This situation was somewhat solved many years ago with the AAAA DNSBL from pfBlockerng.

JonathanLee

@Gertjan This solution worked for me as a Squid user—it’s just using my IPv4 addresses now. I wish I could get native IPv6, but unfortunately I can’t. In addition, the University I attend blocks IPv6 entirely on their network—yep ipv6.google.com doesn't work.

I’ve submitted a request to set up a small IPv6 test network for computer science majors, since it’s something we really should be learning. After all, every smartphone already relies on IPv6. Hopefully they’ll consider it.

Back in 2002 I was also one of the first Cisco NetAcad students, and even then, we were told IPv6 was the future—no ARP, major improvements, the whole pitch. Now it’s 2026, and while IPv6 has definitely taken off in some areas, it still feels like many networks haven’t seriously adopted it.

From what I’ve seen, this creates a knowledge gap in higher education. IPv6 often gets glossed over in networking classes, and even when students want to learn it, getting real access to an IPv6 network can be an uphill battle at times. What is confusing to me the community colleges have full dual stacked networks in my area, but the big Universities don't want it and avoid it.

johnpoz

@JonathanLee said in Netflix and HE tunnel broker:

Back in 2002 I was also one of the first Cisco NetAcad students, and even then, we were told IPv6 was the future

hahah - yeah, you prob have another 20 to be honest.. If not longer..

This graph provided by google.

https://www.google.com/intl/en/ipv6/statistics.html

Seems like it got close to the 50% mark but has fallen off that number of late it seems. I have been playing with IPv6 pretty much the beginning of that graph.. I just looked I got my HE Sage certification back in jan of 2011 - so 15 years.. And nothing.. My current isp doesn't provide it, has no roadmap to when they will or even a statement that they ever will.

I work in the business.. And in that 15 years I have worked for 4 different companies. 1 a fortune 500 at the time, another a fortune 100.. I have actively been looking for projects in IPv6 to work on at all 4 companies and nothing.. Best I got was I did do all the leg work to get a company a /32 IPv6 prefix from Arin.. And I did get to setup some routing objects in Arin for some of that IPv6 - my understanding it was going to be leverage for some sort of iot project related to automotive (ie cars).. But I left that company before anything came to fruition - I will have to check with a buddy that still works there to see what happened with that ;) my guess is nothing.

The company I currently work for has no real plans in the enterprise space.. Or services exposed to the public. Some labs have some isolated ula networks setup for testing of their network test gear we make that does do IPv6. And there is an active project to move them to our global IPv6 we do have, and then route some of these networks between labs in different parts of the globe over our network. But its not an urgent project, it has no timeline or deadline. Just something me and the network architect are talking over with labs and the firewall guys.

I have 6 years left til FRA (full retirement age).. If I don't go sooner.. Other than this little lab project I don't see any IPv6 in this company's future.. They have plenty of public IPv4 space (/16) that they are only using a fraction of.. There is little reason to put any enterprise device on IPv6. Sure and the hell not running out of rfc1918 space.. It would be nothing but cost, and take away from time to work on other more important projects. With zero benefit to the company.

I seriously doubt there is going to be any sort of explosion in IPv6 use in the enterprise for many many years to come.. With all the phones and other such mobile that was eating up the IPv4 space switching over to IPv6 it has really reduced the need to go to IPv6.. I helped sell off some serious amount of space a company had, they had a /16 and now they are down to just a /19.. Which they are only using a fraction of to be honest. And what I can tell you is the price for IPv4 space has dropped drastically since then.

SteveITS

@JonathanLee FWIW, and yes this is the opposite of using IPv6, but Firefox has a "network.dns.ipv4OnlyDomains" setting to force domains to IPv4.

Useful if, say, someone allows IPv4 and then enables IPv6, or an allowed IPv6 prefix changes. Hypothetically. :)

Edit: also FWIW we found HE tunnels were rate limited. I mean they are free, so hard to complain, but bandwidth was about 1/3 of our IPv4 connection speed.

johnpoz

@SteveITS in firefox you can also enable network.dns.disableIPv6, this stops firefox from even asking for AAAA, which is good thing to turn on if you don't even have IPv6 address.

For the life of me I do not understand applications insist on asking for AAAA when they have no workable IPv6 address..

My windows machine doesn't even have a link-local - and still without enable disable IPv6, firefox would ask for both A and AAAA for everywhere you tried to go.

 ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : i9-win
   Primary Dns Suffix  . . . . . . . : home.arpa
   Node Type . . . . . . . . . . . . : Broadcast
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : home.arpa

Ethernet adapter Local:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Killer E2600 Gigabit Ethernet Controller
   Physical Address. . . . . . . . . : B0-4F-13-0B-FD-16
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.9.100(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, March 2, 2026 9:11:09 AM
   Lease Expires . . . . . . . . . . : Saturday, March 14, 2026 9:11:09 AM
   Default Gateway . . . . . . . . . : 192.168.9.253
   DHCP Server . . . . . . . . . . . : 192.168.9.253
   DNS Servers . . . . . . . . . . . : 192.168.3.10
   NetBIOS over Tcpip. . . . . . . . : Disabled

No gua, no ula - not even a link-local, so why and the F would it ask for AAAA for?? Lazy freaking programing if you ask me.

Not really sure why they have both options to be honest, the way I read that is they both would do the same thing. Or maybe something changed and they add the one you posted? Going to enable it as well..

I just know when I set disable dns IPv6 - firefox stopped asking for AAAA

Oh that setting is for list of domains you want to only use IPv4 with, not turning off IPv6

"A comma-seperated list of domains to connect with IPv4 instead of IPv6"

Gertjan

@johnpoz said in Netflix and HE tunnel broker:

No gua, no ula - not even a link-local, so why and the F would it ask for AAAA for?? Lazy freaking programing if you ask me.

Good question.
If there are no local IPv6 interfaces to talk to, I'm curious what the advantage is knowing that an AAAA exists for a host that will be contacted over A anyway.

I've a possible reason in front of me, the one and only Firefix plugin I use :

edit : the plugin is he.net powered.

It shows me for every web site I visit what I'm using : A or AAAA, and it also shows what other sites are visited when the page was retrieved.

I can image that when this Firefox plugin is used, these AAAA requests are made.
But if it isn't used ?

@SteveITS said in Netflix and HE tunnel broker:

Edit: also FWIW we found HE tunnels were rate limited. I mean they are free, so hard to complain, but bandwidth was about 1/3 of our IPv4 connection speed.

Because the POPs have cost involved
Some of them are marked as "can't add any new clients anymore" == they are 'full'.
If they would throw hardware on it, tunnel.he.net would become a real, free VPN alternative **, which would need even more hardware.

** he.net uses a tunnel = IPv6 packets are encapsulated into a IPv4 packets = the GIF protocol, which is, afaik, not encrypted. Not a big deal as all traffic is TLS already anyway.