Selective Routing for Netflix

Xentrk · Jun 21, 2018

Ted Danson said:
Is it possible, via pfsense, to selectively route applications/services like we've discussed? By that, what I mean is:

Set up multiple VPN connections / interfaces. E.g. UK/USA/JP/IE etc

Route, for example, BBC iPlayer traffic over UK VPN, Hulu over USA VPN etc and then everything else not fitting those traffic rules, route it over WAN

Does pfsense domain routing work like dnsmasq? Currently on my RT-AC5300 I have dnsmasq.conf.add and add my own domains there to run over separate Smart DNS IP's. That's all I do. It's a bit hit and miss though and now I find I want to route everything over VPN instead. Hopefully with a fast box it will help me get nice VPN speeds, enough to get 4K streams working properly.

Yes, selective routing you can choose what traffic to route to WAN or to one of several OpenVPN interfaces. Unbound is the DNS resolver in pfSense. Similar to dnsmasq but different too.

I plan to make selective routing on pfSense a topic of a future blog post once the 2.4.4 release is finalized as there are a lot of changes in pfBlockerNG in 2.4.4 when compared to the 2.4.3 release.

frustin · Jun 24, 2018

The sed command (which i cant decipher) does not seem to work for me:

Code:

admin1@RT-AC86U:/tmp/mnt/sda2# curl http://ipinfo.io/AS2906 2>/dev/null | grep -
E "a href.*2906\/" | grep -v ":"
                                <a href="/AS2906/108.175.32.0/20" >
                                <a href="/AS2906/185.2.220.0/22" >
                                <a href="/AS2906/185.9.188.0/22" >
                                <a href="/AS2906/192.173.64.0/18" >
                                <a href="/AS2906/192.173.70.0/24" >

However if i run it with the full command:

Code:

admin1@RT-AC86U:/tmp/mnt/sda2# curl http://ipinfo.io/AS2906 2>/dev/null | grep -
E "a href.*2906\/" | grep -v ":" | sed 's/^.*\">//; s/<.*//; /^\s*$/d'

The output is blank.

Martineau · Jun 24, 2018

frustin said:

The sed command (which i cant decipher) does not seem to work for me:

Code:

admin1@RT-AC86U:/tmp/mnt/sda2# curl http://ipinfo.io/AS2906 2>/dev/null | grep -
E "a href.*2906\/" | grep -v ":"
                                <a href="/AS2906/108.175.32.0/20" >
                                <a href="/AS2906/185.2.220.0/22" >
                                <a href="/AS2906/185.9.188.0/22" >
                                <a href="/AS2906/192.173.64.0/18" >
                                <a href="/AS2906/192.173.70.0/24" >

However if i run it with the full command:

Code:

admin1@RT-AC86U:/tmp/mnt/sda2# curl http://ipinfo.io/AS2906 2>/dev/null | grep -
E "a href.*2906\/" | grep -v ":" | sed 's/^.*\">//; s/<.*//; /^\s*$/d'

The output is blank.

Try

Code:

curl http://ipinfo.io/AS2906 2>/dev/null | grep -E "a href.*AS2906\/" | grep -v ":" | sed 's/<a href\="\///; s/".*$//; s/^[^\/]*\///g'

frustin · Jun 24, 2018

Martineau said:

that works. thank you.

frustin · Jun 24, 2018

Assuming i can get this working for UK netflix, does this script mean that i do not need to set up ipset= in dnsmasq anymore as it'll refresh each time i reboot the router?

Netflix is working on this laptop (no WAN tunnel for this device) but is not working when i try using the app on my Amazon Fire TV device.

If i set a WAN tunnel for the Amazon Fire device, amazon and Netflix both play fine.

Please can someone help me debug this? what do you need? logs etc..

Martineau · Jun 24, 2018

frustin said:
Assuming i can get this working for UK netflix, does this script mean that i do not need to set up ipset= in dnsmasq anymore as it'll refresh each time i reboot the router?

I would suggest the use of the script say every couple of weeks to flush the ipset and possibly remove obsolete entries.

Leaving dnsmasq to also update the ipset in real-time is also recommended - although I suspect there wouldn't be many additions that have yet to be propagated to the 'ipinfo' site.

So once a day using a cron schedule and also when the router is shutdown cleanly (see services-stop), backup the ipset to a USB drive, then to save time, whenever the router is rebooted simply restore the ipset backup.

frustin · Jun 24, 2018

Martineau said:
I would suggest the use of the script say every couple of weeks to flush the ipset and possibly remove obsolete entries.

Leaving dnsmasq to also update the ipset in real-time is also recommended - although I suspect there wouldn't be many additions that have yet to be propagated to the 'ipinfo' site.

So once a day using a cron schedule and also when the router is shutdown cleanly (see services-stop), backup the ipset to a USB drive, then to save time, whenever the router is rebooted simply restore the ipset backup.

can i restore ipset in nat-start?

Martineau · Jun 24, 2018

frustin said:
can i restore ipset in nat-start?

Yes, but nat-start may be called twice during the boot process, and also whenever the WAN/firewall is restarted.

So if you have the ipset backup on a USB drive, then post-mount could be used or even init-start to ensure the ipset restore is only requested once during the boot process.

frustin · Jun 25, 2018

Martineau said:
Yes, but nat-start may be called twice during the boot process, and also whenever the WAN/firewall is restarted.

So if you have the ipset backup on a USB drive, then post-mount could be used or even init-start to ensure the ipset restore is only requested once during the boot process.

thanks for that.

At the moment, i have the VPN switched on. Netflix (UK) and Amazon work fine on my laptop. However, they do not on my Amazon Fire TV box. Using the policy rules below:
https://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/page-40#post-412836

I use 10.0.0.0 network.

If I set a policy rule for the Amazon Fire to tunnel to WAN it works fine (as it should).

It has to be the Fire TV is going to some addresses that are not on my IPSET list.

I would like to compare the addresses, from the Fire TV, going out, when the device policy is set, with the addresses when selective routing is set. What's the best method for this please?

Xentrk · Jun 25, 2018

frustin said:
thanks for that.

At the moment, i have the VPN switched on. Netflix (UK) and Amazon work fine on my laptop. However, they do not on my Amazon Fire TV box. Using the policy rules below:
https://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/page-40#post-412836

I use 10.0.0.0 network.

If I set a policy rule for the Amazon Fire to tunnel to WAN it works fine (as it should).

It has to be the Fire TV is going to some addresses that are not on my IPSET list.

I would like to compare the addresses, from the Fire TV, going out, when the device policy is set, with the addresses when selective routing is set. What's the best method for this please?

This post will show you how to capture the domain names from dnsmasq.log

https://www.snbforums.com/threads/selective-routing-for-netflix.42661/page-6#post-400556.

You can then read the file containing the domain names you harvested, perform an nslookup on each one to obtain the IPv4 addresses, and load the list to an ipset. Save each ipset list to a separate text file and do a diff to compare the two lists. For example

Code:

for domain_name in $(awk '{ print $1 }' /jffs/scripts/BBCdns)
    do
      for ip in $(nslookup $DNS | awk '/^Name:/,0{if (/^Addr/)print $3}'); do
        ipset add IPLAYER $ip
    done
done

frustin · Jun 25, 2018

Xentrk said:
This post will show you how to capture the domain names from dnsmasq.log

It collects domain names? not the ip addresses?
Also I assume i have to install AB-Solution to collect those domain names?

Martineau · Jun 25, 2018

frustin said:
I assume i have to install AB-Solution to collect those domain names?

Installing AB-Solution is a worthy addition if you require Ad-blocking, but it also enables dnsmasq logging to assist in reporting/debugging etc.

Alternatively you may enable dnsmasq logging by manually adding the following to

/jffs/configs/dnsmasq.conf.add

Code:

log-facility=/tmp/mnt/xxxxxxxx/dnsmasq.log
log-async
log-queries

and restarting dnsmasq:

Code:

service restart_dnsmasq

frustin said:
It collects domain names? not the ip addresses?

Domains are easily converted to IPs/Subnets!

I have just followed @Xentrk's 'harvesting' method by scanning dnsmasq log 'query' entries

Code:

DNSMASQ_LOG="/tmp/mnt/xxxxxxxx/dnsmasq.log"
DEVICE=10.88.8.155
for DNSQUERY in $(grep "query" $DNSMASQ_LOG | grep "$DEVICE" | grep "nflx" | awk '{ print $6 }' | sort -u )
    do
        #Say iptables -t mangle -D PREROUTING -i br0 -d $DNSQUERY -j MARK --set-mark 0x7000/0x7000
        #Say iptables -t mangle -A PREROUTING -i br0 -d $DNSQUERY -j MARK --set-mark 0x7000/0x7000
        echo -e $cBCYA"\t\tExtracted '"$DNSQUERY"'"
        for IP in $(nslookup "$DNSQUERY" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v "127.0.0.1")
            do
                echo -en $cBRED
                ipset test NETFLIX $IP
                if [ $? -gt 0 ];then
                    echo -e $cBYEL"\t\tipset add NETFLIX" $IP
                fi
            done
    done

Results:

Code:

  Extracted 'ipv4-c001-lhr004-my-isp.1.oca.nflxvideo.net'
78.146.119.219 is NOT in set NETFLIX.
  ipset add NETFLIX 78.146.119.219

  Extracted 'ipv4-c002-lhr004-my-isp.1.oca.nflxvideo.net'
78.146.119.221 is NOT in set NETFLIX.
  ipset add NETFLIX 78.146.119.221

  Extracted 'ipv4-c002-sou001-my-isp.1.oca.nflxvideo.net'
78.146.119.61 is NOT in set NETFLIX.
  ipset add NETFLIX 78.146.119.61

  Extracted 'ipv4-c004-ltn001-my-isp.1.oca.nflxvideo.net'
78.146.119.49 is NOT in set NETFLIX.
  ipset add NETFLIX 78.146.119.49

  Extracted 'occ-0-1688-299.1.nflxso.net'
78.146.119.221 is NOT in set NETFLIX.
  ipset add NETFLIX 78.146.119.221

78.146.119.219 is NOT in set NETFLIX.
  ipset add NETFLIX 78.146.119.219

However, if dnsmasq is tracking (ipset=/nflxso.net/nflxvideo.net/NetflixUSA) , then my dnsmasq log shows that they were added to my ipset NetflixUSA:

Code:

Jun 25 14:58:16 dnsmasq[1639]: query[A] occ-0-1688-299.1.nflxso.net from 10.88.8.155
Jun 25 14:58:16 dnsmasq[1639]: forwarded occ-0-1688-299.1.nflxso.net to 9.9.9.9
Jun 25 14:58:16 dnsmasq[1639]: reply occ-0-1688-299.1.nflxso.net is 78.146.119.221
Jun 25 14:58:16 dnsmasq[1639]: reply occ-0-1688-299.1.nflxso.net is 78.146.119.219
Jun 25 14:59:05 dnsmasq[1639]: query[A] ipv4-c002-sou001-my-isp.1.oca.nflxvideo.net from 10.88.8.155
Jun 25 14:59:05 dnsmasq[1639]: forwarded ipv4-c002-sou001-my-isp.1.oca.nflxvideo.net to 9.9.9.9

Jun 25 14:59:05 dnsmasq[1639]: ipset add NetflixUSA 78.146.119.61 ipv4-c002-sou001-my-isp.1.oca.nflxvideo.net

Jun 25 14:59:05 dnsmasq[1639]: reply ipv4-c002-sou001-my-isp.1.oca.nflxvideo.net is 78.146.119.61
Jun 25 14:59:05 dnsmasq[1639]: query[A] ipv4-c002-lhr004-my-isp.1.oca.nflxvideo.net from 10.88.8.155
Jun 25 14:59:05 dnsmasq[1639]: forwarded ipv4-c002-lhr004-my-isp.1.oca.nflxvideo.net to 9.9.9.9

Jun 25 14:59:05 dnsmasq[1639]: ipset add NetflixUSA 78.146.119.221 ipv4-c002-lhr004-my-isp.1.oca.nflxvideo.net

Jun 25 14:59:05 dnsmasq[1639]: reply ipv4-c002-lhr004-my-isp.1.oca.nflxvideo.net is 78.146.119.221
Jun 25 15:00:04 dnsmasq[1639]: query[A] occ-0-1688-299.1.nflxso.net from 10.88.8.155
Jun 25 15:00:04 dnsmasq[1639]: forwarded occ-0-1688-299.1.nflxso.net to 9.9.9.9
Jun 25 15:00:05 dnsmasq[1639]: reply occ-0-1688-299.1.nflxso.net is 78.146.119.219
Jun 25 15:00:05 dnsmasq[1639]: reply occ-0-1688-299.1.nflxso.net is 78.146.119.221
Jun 25 15:00:06 dnsmasq[1639]: query[A] ipv4-c004-ltn001-my-isp.1.oca.nflxvideo.net from 10.88.8.155
Jun 25 15:00:06 dnsmasq[1639]: forwarded ipv4-c004-ltn001-my-isp.1.oca.nflxvideo.net to 9.9.9.9

Jun 25 15:00:06 dnsmasq[1639]: ipset add NetflixUSA 78.146.119.49 ipv4-c004-ltn001-my-isp.1.oca.nflxvideo.net

Jun 25 15:00:06 dnsmasq[1639]: reply ipv4-c004-ltn001-my-isp.1.oca.nflxvideo.net is 78.146.119.49
Jun 25 15:00:06 dnsmasq[1639]: query[A] ipv4-c001-lhr004-my-isp.1.oca.nflxvideo.net from 10.88.8.155
Jun 25 15:00:06 dnsmasq[1639]: forwarded ipv4-c001-lhr004-my-isp.1.oca.nflxvideo.net to 9.9.9.9

Jun 25 15:00:06 dnsmasq[1639]: ipset add NetflixUSA 78.146.119.219 ipv4-c001-lhr004-my-isp.1.oca.nflxvideo.net

Jun 25 15:00:06 dnsmasq[1639]: reply ipv4-c001-lhr004-my-isp.1.oca.nflxvideo.net is 78.146.119.219

Whilst useful in determining (in real-time) new Netflix related domains using the harvesting scripts, I'm not sure why @Xentrk would imply that it is necessary to create explicit iptables Netflix PREROUTING rules unless there is evidence that the dnsmasq technique no longer works?

frustin · Jun 25, 2018

Martineau said:

Installing AB-Solution is a worthy addition if you require Ad-blocking, but it also enables dnsmasq logging to assist in reporting/debugging etc.

Alternatively you may enable dnsmasq logging by manually adding the following to

/jffs/configs/dnsmasq.conf.add

Code:

log-facility=/tmp/mnt/xxxxxxxx/dnsmasq.log
log-async
log-queries

and restarting dnsmasq:

Code:

service restart_dnsmasq

Domains are easily converted to IPs/Subnets!

I have just followed @Xentrk's 'harvesting' method by scanning dnsmasq log 'query' entries

Code:

DNSMASQ_LOG="/tmp/mnt/xxxxxxxx/dnsmasq.log"
DEVICE=10.88.8.155
for DNSQUERY in $(grep "query" $DNSMASQ_LOG | grep "$DEVICE" | grep "nflx" | awk '{ print $6 }' | sort -u )
    do
        #Say iptables -t mangle -D PREROUTING -i br0 -d $DNSQUERY -j MARK --set-mark 0x7000/0x7000
        #Say iptables -t mangle -A PREROUTING -i br0 -d $DNSQUERY -j MARK --set-mark 0x7000/0x7000
        echo -e $cBCYA"\t\tExtracted '"$DNSQUERY"'"
        for IP in $(nslookup "$DNSQUERY" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v "127.0.0.1")
            do
                echo -en $cBRED
                ipset test NETFLIX $IP
                if [ $? -gt 0 ];then
                    echo -e $cBYEL"\t\tipset add NETFLIX" $IP
                fi
            done
    done

Results:

Code:

  Extracted 'ipv4-c001-lhr004-my-isp.1.oca.nflxvideo.net'
78.146.119.219 is NOT in set NETFLIX.
  ipset add NETFLIX 78.146.119.219

  Extracted 'ipv4-c002-lhr004-my-isp.1.oca.nflxvideo.net'
78.146.119.221 is NOT in set NETFLIX.
  ipset add NETFLIX 78.146.119.221

  Extracted 'ipv4-c002-sou001-my-isp.1.oca.nflxvideo.net'
78.146.119.61 is NOT in set NETFLIX.
  ipset add NETFLIX 78.146.119.61

  Extracted 'ipv4-c004-ltn001-my-isp.1.oca.nflxvideo.net'
78.146.119.49 is NOT in set NETFLIX.
  ipset add NETFLIX 78.146.119.49

  Extracted 'occ-0-1688-299.1.nflxso.net'
78.146.119.221 is NOT in set NETFLIX.
  ipset add NETFLIX 78.146.119.221

78.146.119.219 is NOT in set NETFLIX.
  ipset add NETFLIX 78.146.119.219

However, if dnsmasq is tracking (ipset=/nflxso.net/nflxvideo.net/NetflixUSA) , then my dnsmasq log shows that they were added to my ipset NetflixUSA:

Code:

Jun 25 14:58:16 dnsmasq[1639]: query[A] occ-0-1688-299.1.nflxso.net from 10.88.8.155
Jun 25 14:58:16 dnsmasq[1639]: forwarded occ-0-1688-299.1.nflxso.net to 9.9.9.9
Jun 25 14:58:16 dnsmasq[1639]: reply occ-0-1688-299.1.nflxso.net is 78.146.119.221
Jun 25 14:58:16 dnsmasq[1639]: reply occ-0-1688-299.1.nflxso.net is 78.146.119.219
Jun 25 14:59:05 dnsmasq[1639]: query[A] ipv4-c002-sou001-my-isp.1.oca.nflxvideo.net from 10.88.8.155
Jun 25 14:59:05 dnsmasq[1639]: forwarded ipv4-c002-sou001-my-isp.1.oca.nflxvideo.net to 9.9.9.9

Jun 25 14:59:05 dnsmasq[1639]: ipset add NetflixUSA 78.146.119.61 ipv4-c002-sou001-my-isp.1.oca.nflxvideo.net

Jun 25 14:59:05 dnsmasq[1639]: reply ipv4-c002-sou001-my-isp.1.oca.nflxvideo.net is 78.146.119.61
Jun 25 14:59:05 dnsmasq[1639]: query[A] ipv4-c002-lhr004-my-isp.1.oca.nflxvideo.net from 10.88.8.155
Jun 25 14:59:05 dnsmasq[1639]: forwarded ipv4-c002-lhr004-my-isp.1.oca.nflxvideo.net to 9.9.9.9

Jun 25 14:59:05 dnsmasq[1639]: ipset add NetflixUSA 78.146.119.221 ipv4-c002-lhr004-my-isp.1.oca.nflxvideo.net

Jun 25 14:59:05 dnsmasq[1639]: reply ipv4-c002-lhr004-my-isp.1.oca.nflxvideo.net is 78.146.119.221
Jun 25 15:00:04 dnsmasq[1639]: query[A] occ-0-1688-299.1.nflxso.net from 10.88.8.155
Jun 25 15:00:04 dnsmasq[1639]: forwarded occ-0-1688-299.1.nflxso.net to 9.9.9.9
Jun 25 15:00:05 dnsmasq[1639]: reply occ-0-1688-299.1.nflxso.net is 78.146.119.219
Jun 25 15:00:05 dnsmasq[1639]: reply occ-0-1688-299.1.nflxso.net is 78.146.119.221
Jun 25 15:00:06 dnsmasq[1639]: query[A] ipv4-c004-ltn001-my-isp.1.oca.nflxvideo.net from 10.88.8.155
Jun 25 15:00:06 dnsmasq[1639]: forwarded ipv4-c004-ltn001-my-isp.1.oca.nflxvideo.net to 9.9.9.9

Jun 25 15:00:06 dnsmasq[1639]: ipset add NetflixUSA 78.146.119.49 ipv4-c004-ltn001-my-isp.1.oca.nflxvideo.net

Jun 25 15:00:06 dnsmasq[1639]: reply ipv4-c004-ltn001-my-isp.1.oca.nflxvideo.net is 78.146.119.49
Jun 25 15:00:06 dnsmasq[1639]: query[A] ipv4-c001-lhr004-my-isp.1.oca.nflxvideo.net from 10.88.8.155
Jun 25 15:00:06 dnsmasq[1639]: forwarded ipv4-c001-lhr004-my-isp.1.oca.nflxvideo.net to 9.9.9.9

Jun 25 15:00:06 dnsmasq[1639]: ipset add NetflixUSA 78.146.119.219 ipv4-c001-lhr004-my-isp.1.oca.nflxvideo.net

Jun 25 15:00:06 dnsmasq[1639]: reply ipv4-c001-lhr004-my-isp.1.oca.nflxvideo.net is 78.146.119.219

So not sure why @Xentrk would imply that additional scripts are required to create explicit iptables Netflix PREROUTING rules unless there is evidence that the dnsmasq technique no longer works?

Interesting this is what i get. Nothing in there about "netflix":

Code:

admin1@RT-AC86U:/tmp/mnt/sda1/adblocking/logs# cat netflix
Jun 25 18:10:28 dnsmasq[1585]: forwarded rgom10-en.url.trendmicro.com to 103.86.99.100
Jun 25 18:10:28 dnsmasq[1585]: forwarded rgom10-en.url.trendmicro.com to 103.86.96.100
Jun 25 18:10:28 dnsmasq[1585]: query[AAAA] rgom10-en.url.trendmicro.com from 127.0.0.1
Jun 25 18:10:28 dnsmasq[1585]: forwarded rgom10-en.url.trendmicro.com to 103.86.99.100
Jun 25 18:10:28 dnsmasq[1585]: reply rgom10-en.url.trendmicro.com is <CNAME>
Jun 25 18:10:28 dnsmasq[1585]: reply trendmicro.com.edgesuite.net is <CNAME>
Jun 25 18:10:28 dnsmasq[1585]: reply rgom10-en.url.trendmicro.com is <CNAME>
Jun 25 18:10:28 dnsmasq[1585]: reply trendmicro.com.edgesuite.net is <CNAME>
Jun 25 18:10:28 dnsmasq[1585]: reply a151.g.akamai.net is 42.99.128.161
Jun 25 18:10:28 dnsmasq[1585]: reply a151.g.akamai.net is 42.99.128.168

That trendmicro check happens each time i do a "check your network" on netflix on the Fire TV.

Am i allowing just a151.g.akamai.net?

Martineau · Jun 25, 2018

frustin said:
Interesting this is what i get. Nothing in there about "netflix":

Am i allowing just a151.g.akamai.net?

Depending on Region/ISP etc., then CDN Akamai apparently does host "Netflix" see post #129

frustin · Jun 25, 2018

Martineau said:
Depending on Region/ISP etc., then CDN Akamai apparently does host "Netflix" see post #129

wish i hadnt installed the ad blocker. It's added a load of stuff that's made it more confusing to debug.

removal is reformat jffs?

Martineau · Jun 25, 2018

frustin said:
wish i hadnt installed the ad blocker. It's added a load of stuff that's made it more confusing to debug.

removal is reformat jffs?

No...….use 'rm' from the AB-Solution menu.

frustin · Jun 25, 2018

Martineau said:

Installing AB-Solution is a worthy addition if you require Ad-blocking, but it also enables dnsmasq logging to assist in reporting/debugging etc.

Alternatively you may enable dnsmasq logging by manually adding the following to

/jffs/configs/dnsmasq.conf.add

Code:

log-facility=/tmp/mnt/xxxxxxxx/dnsmasq.log
log-async
log-queries

and restarting dnsmasq:

Code:

service restart_dnsmasq

Domains are easily converted to IPs/Subnets!

I have just followed @Xentrk's 'harvesting' method by scanning dnsmasq log 'query' entries

Code:

DNSMASQ_LOG="/tmp/mnt/xxxxxxxx/dnsmasq.log"
DEVICE=10.88.8.155
for DNSQUERY in $(grep "query" $DNSMASQ_LOG | grep "$DEVICE" | grep "nflx" | awk '{ print $6 }' | sort -u )
    do
        #Say iptables -t mangle -D PREROUTING -i br0 -d $DNSQUERY -j MARK --set-mark 0x7000/0x7000
        #Say iptables -t mangle -A PREROUTING -i br0 -d $DNSQUERY -j MARK --set-mark 0x7000/0x7000
        echo -e $cBCYA"\t\tExtracted '"$DNSQUERY"'"
        for IP in $(nslookup "$DNSQUERY" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v "127.0.0.1")
            do
                echo -en $cBRED
                ipset test NETFLIX $IP
                if [ $? -gt 0 ];then
                    echo -e $cBYEL"\t\tipset add NETFLIX" $IP
                fi
            done
    done

Results:

Code:

  Extracted 'ipv4-c001-lhr004-my-isp.1.oca.nflxvideo.net'
78.146.119.219 is NOT in set NETFLIX.
  ipset add NETFLIX 78.146.119.219

  Extracted 'ipv4-c002-lhr004-my-isp.1.oca.nflxvideo.net'
78.146.119.221 is NOT in set NETFLIX.
  ipset add NETFLIX 78.146.119.221

  Extracted 'ipv4-c002-sou001-my-isp.1.oca.nflxvideo.net'
78.146.119.61 is NOT in set NETFLIX.
  ipset add NETFLIX 78.146.119.61

  Extracted 'ipv4-c004-ltn001-my-isp.1.oca.nflxvideo.net'
78.146.119.49 is NOT in set NETFLIX.
  ipset add NETFLIX 78.146.119.49

  Extracted 'occ-0-1688-299.1.nflxso.net'
78.146.119.221 is NOT in set NETFLIX.
  ipset add NETFLIX 78.146.119.221

78.146.119.219 is NOT in set NETFLIX.
  ipset add NETFLIX 78.146.119.219

However, if dnsmasq is tracking (ipset=/nflxso.net/nflxvideo.net/NetflixUSA) , then my dnsmasq log shows that they were added to my ipset NetflixUSA:

Code:

Jun 25 14:58:16 dnsmasq[1639]: query[A] occ-0-1688-299.1.nflxso.net from 10.88.8.155
Jun 25 14:58:16 dnsmasq[1639]: forwarded occ-0-1688-299.1.nflxso.net to 9.9.9.9
Jun 25 14:58:16 dnsmasq[1639]: reply occ-0-1688-299.1.nflxso.net is 78.146.119.221
Jun 25 14:58:16 dnsmasq[1639]: reply occ-0-1688-299.1.nflxso.net is 78.146.119.219
Jun 25 14:59:05 dnsmasq[1639]: query[A] ipv4-c002-sou001-my-isp.1.oca.nflxvideo.net from 10.88.8.155
Jun 25 14:59:05 dnsmasq[1639]: forwarded ipv4-c002-sou001-my-isp.1.oca.nflxvideo.net to 9.9.9.9

Jun 25 14:59:05 dnsmasq[1639]: ipset add NetflixUSA 78.146.119.61 ipv4-c002-sou001-my-isp.1.oca.nflxvideo.net

Jun 25 14:59:05 dnsmasq[1639]: reply ipv4-c002-sou001-my-isp.1.oca.nflxvideo.net is 78.146.119.61
Jun 25 14:59:05 dnsmasq[1639]: query[A] ipv4-c002-lhr004-my-isp.1.oca.nflxvideo.net from 10.88.8.155
Jun 25 14:59:05 dnsmasq[1639]: forwarded ipv4-c002-lhr004-my-isp.1.oca.nflxvideo.net to 9.9.9.9

Jun 25 14:59:05 dnsmasq[1639]: ipset add NetflixUSA 78.146.119.221 ipv4-c002-lhr004-my-isp.1.oca.nflxvideo.net

Jun 25 14:59:05 dnsmasq[1639]: reply ipv4-c002-lhr004-my-isp.1.oca.nflxvideo.net is 78.146.119.221
Jun 25 15:00:04 dnsmasq[1639]: query[A] occ-0-1688-299.1.nflxso.net from 10.88.8.155
Jun 25 15:00:04 dnsmasq[1639]: forwarded occ-0-1688-299.1.nflxso.net to 9.9.9.9
Jun 25 15:00:05 dnsmasq[1639]: reply occ-0-1688-299.1.nflxso.net is 78.146.119.219
Jun 25 15:00:05 dnsmasq[1639]: reply occ-0-1688-299.1.nflxso.net is 78.146.119.221
Jun 25 15:00:06 dnsmasq[1639]: query[A] ipv4-c004-ltn001-my-isp.1.oca.nflxvideo.net from 10.88.8.155
Jun 25 15:00:06 dnsmasq[1639]: forwarded ipv4-c004-ltn001-my-isp.1.oca.nflxvideo.net to 9.9.9.9

Jun 25 15:00:06 dnsmasq[1639]: ipset add NetflixUSA 78.146.119.49 ipv4-c004-ltn001-my-isp.1.oca.nflxvideo.net

Jun 25 15:00:06 dnsmasq[1639]: reply ipv4-c004-ltn001-my-isp.1.oca.nflxvideo.net is 78.146.119.49
Jun 25 15:00:06 dnsmasq[1639]: query[A] ipv4-c001-lhr004-my-isp.1.oca.nflxvideo.net from 10.88.8.155
Jun 25 15:00:06 dnsmasq[1639]: forwarded ipv4-c001-lhr004-my-isp.1.oca.nflxvideo.net to 9.9.9.9

Jun 25 15:00:06 dnsmasq[1639]: ipset add NetflixUSA 78.146.119.219 ipv4-c001-lhr004-my-isp.1.oca.nflxvideo.net

Jun 25 15:00:06 dnsmasq[1639]: reply ipv4-c001-lhr004-my-isp.1.oca.nflxvideo.net is 78.146.119.219

Whilst useful in determining (in real-time) new Netflix related domains using the harvesting scripts, I'm not sure why @Xentrk would imply that it is necessary to create explicit iptables Netflix PREROUTING rules unless there is evidence that the dnsmasq technique no longer works?

I've gone back to dnsmasq tracking after removing adblocker (thanks for that by the way).

frustin · Jun 25, 2018

Martineau said:
Installing AB-Solution is a worthy addition if you require Ad-blocking, but it also enables dnsmasq logging to assist in reporting/debugging etc.

Alternatively you may enable dnsmasq logging by manually adding the following to

/jffs/configs/dnsmasq.conf.add

Code:

log-facility=/tmp/mnt/xxxxxxxx/dnsmasq.log log-async log-queries

and restarting dnsmasq:

Code:

service restart_dnsmasq

I've added logging to my dnsmasq.conf.add and it's capturing data, however it's spamming the following:

Code:

Jun 25 21:56:52 dnsmasq[1698]: query[A] dns.msftncsi.com from 127.0.0.1
Jun 25 21:56:52 dnsmasq[1698]: cached dns.msftncsi.com is 131.107.255.255
Jun 25 21:56:57 dnsmasq[1698]: query[A] dns.msftncsi.com from 127.0.0.1
Jun 25 21:56:57 dnsmasq[1698]: cached dns.msftncsi.com is 131.107.255.255
Jun 25 21:57:02 dnsmasq[1698]: query[A] dns.msftncsi.com from 127.0.0.1
Jun 25 21:57:02 dnsmasq[1698]: forwarded dns.msftncsi.com to 103.86.99.100
Jun 25 21:57:02 dnsmasq[1698]: forwarded dns.msftncsi.com to 103.86.96.100
Jun 25 21:57:02 dnsmasq[1698]: reply dns.msftncsi.com is 131.107.255.255
Jun 25 21:57:07 dnsmasq[1698]: query[A] dns.msftncsi.com from 127.0.0.1
Jun 25 21:57:07 dnsmasq[1698]: cached dns.msftncsi.com is 131.107.255.255
Jun 25 21:57:12 dnsmasq[1698]: query[A] dns.msftncsi.com from 127.0.0.1
Jun 25 21:57:12 dnsmasq[1698]: cached dns.msftncsi.com is 131.107.255.255
Jun 25 21:57:17 dnsmasq[1698]: query[A] dns.msftncsi.com from 127.0.0.1
Jun 25 21:57:17 dnsmasq[1698]: cached dns.msftncsi.com is 131.107.255.255
Jun 25 21:57:22 dnsmasq[1698]: query[A] dns.msftncsi.com from 127.0.0.1
Jun 25 21:57:22 dnsmasq[1698]: cached dns.msftncsi.com is 131.107.255.255
Jun 25 21:57:27 dnsmasq[1698]: query[A] dns.msftncsi.com from 127.0.0.1
Jun 25 21:57:27 dnsmasq[1698]: forwarded dns.msftncsi.com to 103.86.99.100

When i do some button pushing on netflix (on the Fire TV) I dont see anything new in this list. If I run nslookup on netflix.co.uk it shows up. I thought that the list updates when any request happens?

Xentrk · Jun 25, 2018

frustin said:

I've added logging to my dnsmasq.conf.add and it's capturing data, however it's spamming the following:

Code:

Jun 25 21:56:52 dnsmasq[1698]: query[A] dns.msftncsi.com from 127.0.0.1
Jun 25 21:56:52 dnsmasq[1698]: cached dns.msftncsi.com is 131.107.255.255
Jun 25 21:56:57 dnsmasq[1698]: query[A] dns.msftncsi.com from 127.0.0.1
Jun 25 21:56:57 dnsmasq[1698]: cached dns.msftncsi.com is 131.107.255.255
Jun 25 21:57:02 dnsmasq[1698]: query[A] dns.msftncsi.com from 127.0.0.1
Jun 25 21:57:02 dnsmasq[1698]: forwarded dns.msftncsi.com to 103.86.99.100
Jun 25 21:57:02 dnsmasq[1698]: forwarded dns.msftncsi.com to 103.86.96.100
Jun 25 21:57:02 dnsmasq[1698]: reply dns.msftncsi.com is 131.107.255.255
Jun 25 21:57:07 dnsmasq[1698]: query[A] dns.msftncsi.com from 127.0.0.1
Jun 25 21:57:07 dnsmasq[1698]: cached dns.msftncsi.com is 131.107.255.255
Jun 25 21:57:12 dnsmasq[1698]: query[A] dns.msftncsi.com from 127.0.0.1
Jun 25 21:57:12 dnsmasq[1698]: cached dns.msftncsi.com is 131.107.255.255
Jun 25 21:57:17 dnsmasq[1698]: query[A] dns.msftncsi.com from 127.0.0.1
Jun 25 21:57:17 dnsmasq[1698]: cached dns.msftncsi.com is 131.107.255.255
Jun 25 21:57:22 dnsmasq[1698]: query[A] dns.msftncsi.com from 127.0.0.1
Jun 25 21:57:22 dnsmasq[1698]: cached dns.msftncsi.com is 131.107.255.255
Jun 25 21:57:27 dnsmasq[1698]: query[A] dns.msftncsi.com from 127.0.0.1
Jun 25 21:57:27 dnsmasq[1698]: forwarded dns.msftncsi.com to 103.86.99.100

When i do some button pushing on netflix (on the Fire TV) I dont see anything new in this list. If I run nslookup on netflix.co.uk it shows up. I thought that the list updates when any request happens?

Those entries are from windows checking for web connecticity.

Do you see log entries from the ip address of the fire tv in dnsmasq.log? Do you assign static ip addresses to your lan clients?

Martineau · Jun 26, 2018

frustin said:
When i do some button pushing on netflix (on the Fire TV) I dont see anything new in this list. If I run nslookup on netflix.co.uk it shows up. I thought that the list updates when any request happens?

If the Fire TV is explicitly using upstream DNS servers then it bypasses dnsmasq on the router.

Thread starter	Title	Forum	Replies	Date
H	Routing wireguard	VPN	0	Feb 22, 2024
	[solved] PFSense+OpenVPN: Problems Routing Specific VLAN traffic out VPN	VPN	1	May 1, 2023

Selective Routing for Netflix

Part of the Furniture

Occasional Visitor

Part of the Furniture

Occasional Visitor

Occasional Visitor

Part of the Furniture

Occasional Visitor

Part of the Furniture

Occasional Visitor

Part of the Furniture

Occasional Visitor

Part of the Furniture

Occasional Visitor

Part of the Furniture

Occasional Visitor

Part of the Furniture

Occasional Visitor

Occasional Visitor

Part of the Furniture

Part of the Furniture

Similar threads

Similar threads

Sign Up For SNBForums Daily Digest