Re-routing Google's DNS

[Nivek135]

Recently installed an Asus ac66u and Merlin's firmware.

I'm slow educating myself on the new tools available to me. I'm wanting to block access to Google's DNS servers and re-route to an alternative (Unblock-Us), but without the device knowing (I'm a Netflix Android and Chromecast user and Google's DNS are hardwired in). Seems I have two options, using the JFFS and iptable scripts or DNS filtering, but still learning.

Any advice to set me on the right path or step me up the learning curve would be greatly appreciated.

 

[Nivek135]

Tried DNS Filtering with specific clients, Android tablet and Chromecast, filter mode = router. Didn't seem to work, the Chromecast is still refusing to play content.

Using Static Routes to effectively block 8.8.8.8 and 8.8.4.4 works for the Chromecast, I can cast Vudu content, but seems to prevent the Netflix Android app from playing anything, UK or US.

Tried the advice from this link but doesn't seem to do anything, I get nothing appear to acknowledge any commands from the "System Command" dialogue box.

http://forum.xda-developers.com/showpost.php?p=49287137&postcount=192

 

[bilboSNB]

Just specify the unblock us dns server as a custom dns entry on the dns filtering page and set the specific clients to use the custom dns entry you set.

 

[Nivek135]

Thanks for the suggestion, I'll give it a go.

I may not be fully understanding how this works but I think the problem is the Chromecast and the Netflix Android app are not requesting a DNS service from the router, they're simply heading off to Google's DNS by themselves. The DNS filtering only works when a DNS service is requested from the router (???). So extra effort needs to be made to block out 8.8.8.8 and 8.8.4.4 yet, in the case of Netflix Android, make the app believe it has made contact.

 

[bilboSNB]

Using the dns filter automatically writes the correct iptable/nat entries and forces the clients you specify to use the dns servers you set even if 8.8.8.8 etc is hardcoded on the client. The client does not need to be set to use the routers ip.

This is one of the reasons for the dnsfilter as it means clients are unable to override dns settings you set which is particularly handy for parental control content filtering using opendns.

You can test it out by setting a static dns server on one of your other clients and then overriding on the dns filter.

 

[Nivek135]

Thanks BilboSNB, your suggestion works nicely for Vudu and the Chromecast.

Unfortunately still blocks out the Netflix Android app, even when Unblock-Us is set to UK. It seems that if the app cannot communicate with Google's DNS it refuses to run.

If I use DNS Filtering from the router on my Nexus 7 as BilboSNB describes then the Netflix app won't play anything, US or UK (which, as BilboSNB already explained, means my earlier post is incorrect, DNS Filtering is preventing access to Google's DNS). If I use DNS Filtering for the Chromecast but not the Nexus 7 but set the DNS from Android to Unblock-Us then the Netflix app will play US and UK content but will only allow me to cast UK content.

It feels like Netflix have had a tinker with their Android app to try and prevent Chromecasting from different regions. Dunno why such a specific block, you'd have thought they would have gone more general.

 

[Nivek135]

Dum dum's post, approx 75% of the way down, of this thread describes iptables fooling the Android and Chromecast device into thinking they are communicating with Google DNS.

https://support.unblock-us.com/cust...ing-problem-with-netflix-update-3-7-2-android

That was for a Cisco router. Is this possible with Asus-Merlin?

 

[bilboSNB]

Sounds like you do need the manual table entries then using a nat script:

https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts

try your earlier reference:
http://forum.xda-developers.com/showpost.php?p=49287137&postcount=192

hopefully someone more knowledgeable re nat scripts will chime in, you may need an additonal snat command.

 

[Nivek135]

I have zero Linux experience and my confidence is failing me here. The wiki BilboSNB hasn't done much for my understanding. I can't even see how to get access to edit the JFFS.

Can anyone offer an explanation of how one might achieve the described iptable re-routing of Google's DNS to a dummy?

 

[jegesq]

Silly question but here goes: Why do you want to block Google's DNS servers? I understand that you want to do that, but if I'm not being too forward about this, I'm just curious why you'd want to do that at all.

What's the issue/problem with allowing a connected device (like an Android phone) to connect with Google's DNS?

I ask because my ISP's DNS servers (TWC's) sometimes can be a bit laggy, so I find myself intentionally setting my AC66U's DNS settings to use Google's DNS servers (and sometimes Open DNS depending on my mood ).

So I'm kind of curious what the issue is with Google that would cause you to try to circumvent their servers completely. Please share.

Thanks.

 

[pulp]

Silly question but here goes: Why do you want to block Google's DNS servers?

Geo limits on Chromecast etc.... wants to appear to be coming from another country to access better content. Most Canadians do this for Netflix because of sh*tty, antiquated, unnecessary, parochial, old-world CRTC rules.

 

[jegesq]

Geo limits on Chromecast etc.... wants to appear to be coming from another country to access better content. Most Canadians do this for Netflix because of sh*tty, antiquated, unnecessary, old-world CRTC rules.

Thanks. Good to know.

 

[mozilla]

It is a fact that the best TV content in the world is produced in the USA and that American content providers only want first-world Americans to see this content. Second-world users should watch their own locally-produced and inferior content or watch the premium American content with months of delay on their own TV networks. You second-world inhabitant of earth wouldn't understand their premium content anyway, it's too developed for you, please go back to herding your sheep! Also you should not see how good life in the US is because then you may decide to immigrate (or at least try) and that is not something that the US Dept of State nor the USCIS wants you to consider.

The content providers go through EXTREME lengths to prevent you from viewing their content. Hulu is really the prime example, not only blocking all traffic from outside the US but also blocking entire ranges of US proxies and VPN's just to be sure that you wouldn't use this method to access the best content currently produced on earth. It doesn't matter that you paid for Hulu Plus with your dirty second-world money. You WON'T get access. Hulu doesn't even want your money, it's not American money so it's not good! And Hulu dedicates an entire team not to acquire more content for their paying users but to finding more patterns and blocking more ways for second-world users to access their content. If Hulu could cut the internet cable between the US and all other countries, it would do so.

Anyway, I've gone through the misery of finding a solution to get EVERYTHING working here again, outside of the USA. I got Netflix USA, Hulu, etc on all my devices, including Roku, ChromeCast and Apple TV. I'm using both a VPN (to get rid of my stupid local country ads and "localized" webpages which really are inferior compared to their American counterparts) and Unblock-US. I could get by without Unblock-US if it wasn't for Hulu of course.

I don't use any of the ASUSWRT filtering options. Basically I just have a continuous running VPN client (connected to a dedicated VPS in the US, not some slow VPN service provider). All traffic is routed through this VPN, including DNS. This lets me already access everything except for Hulu (well, Hulu worked initially, until one of the Hulu "content protection specialists" found out what I was doing and blocked my VPS - don't ask me how they found that out, I only know that they pour a lot of money in some custom-written software that is designed to identify potential second-world users). To get Hulu working again, I had to create an Unblock-US account and I had to set up dnsmasq on the VPS. Then I changed the config of my DHCP server to instruct all DNS requests on my LAN to be sent my router which then sends them to the VPS (except for requests for local machines on my LAN). On the VPS, dnsmasq receives the requests and relays basically everything to 8.8.8.8 and 8.8.4.4, except for everything that relates to Hulu which is sent to Unblock-US. I *COULD* relay everything to Unblock-US of course, but I trust Google DNS more. Note that Unblock-US always knows who you are as you have to register your IP with them, so they would be able to construct a full list of all sites that you visit if you relay all DNS traffic through them (which is obviously what they want you to do). Google already knows which sites I'm visiting even without using Google DNS, so let's just contain the privacy breaches to one company only.

Almost there! Now we got Hulu working on our Macs already, but ChromeCast is STILL able to circumvent this method because of these pesky hardcoded DNS servers which totally ignore the DHCP instructions. Here we need some iptables to do the magic. I won't explain iptables here, consult a primer or something, but this worked for me:

iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 53 -j REDIRECT
iptables -t nat -A PREROUTING -i tun0 -p udp --dport 53 -j REDIRECT

This basically redirects all DNS requests that the VPS receives (for whatever IP) to its own dnsmasq. So no more hardcoded 8.8.8.8 for you mr. ChromeCast! dnsmasq receives the DNS request from ChromeCast and, if it concerns Hulu, sends it to Unblock-US and returns the result of Unblock-US. ChromeCast is totally unaware of this and thinks it is talking to Google DNS. Ergo, we can watch South Park on our ChromeCast.

This solution has been working for me for over a year now and I've got more than enough throughput to be able to watch everything in HD! Periodically, Hulu will find out what you're doing and will block one of Unblock-US IP addresses, but that's not your problem as Unblock-US will then change to another IP, which is part of the service that they provide to you. Normally your Hulu access will be restored in less than a day when this happens. Unblock-US will also tell you that you cannot use their service in conjunction with a VPN but that's a lie. There is no technical limitation for this. They just want you to use their own more expensive VPN service, that's all. The only thing that you need to remember is that you can only mess with your DNS requests while they're flowing outside of the VPN tunnel, traffic in the tunnel is off limits (in my setup, I intercept the DNS requests right as they exit the tunnel). Also be prepared to configure everything yourself without any assistance from Unblock-US, as the technical explanation above would baffle your average Unblock-US customer support agent. I'm quite confident that this solution will keep working in the future, as it really gets complicated at this stage and I guess 99% of second-world users are already weeded-out. The remaining 1% like me will never accept geoblocking and will continue to find workarounds for everything that Hulu and other content providers may try. It's really not that hard to find a workaround if you have the knowledge.

If you want the most complete American experience on the internet, get rid of your Android too as it sends your location to Google and Google will keep providing you with inferior versions of their products, even while using an American IP. Get an iPhone. It doesn't send your location to Google (or at least you can turn it off easily) and it's the phone that every working American uses anyway. Apple doesn't care where you are, as long as you have a US-registered Apple account you'll get access to the superior US versions of the Apple online services.

To get the ultimate experience, move to the US if they allow you to. Life is really in 1080i HD there. Canada/Australia, Switzerland and some parts of Scandinavia are 720p HD. Rest of the world is SD.

Sorry for my bad English btw.