6in4 using henet and unbound

Hi,
I currently have my Archer C7 setup using Unbound and pointing to CIRA dns servers for parental filtering. This is all working flawlessly.

Now I’ve configured my wan6 to use 6in4 with henet. That appears to be working properly too. My clients are getting ipv6 IPS using dhcp and can surf.

My problem is that it appears that any ipv6 dns queries are going to HENET and not using my local dns service using Unbound. Which means no parental filtering is occurring with traffic on ipv6 clients.
Netflix was screwing up thinking I was using a VPN proxy so I entered some custom ipv6 dns entries in my unbound confins so that ipv6 lookups wouldn’t work for all the Netflix ips and force traffic via my ipv4 wan connection (found that as a workaround on another forum). This doesn’t appear to be working as Netflix still isn’t working until I shutdown my wan6 interface. Which means my wan6 interface is not checking my local dns.
So how do I force my wan6 interface to use MY local dns server and NOT the henet dns sergers?

Thanks

There are two separate issues here:

  1. how to use your DNS for IPV6 clients on the local net
  2. how to keep Netflix out of he.net

No. 1 is easily solvable: it's not really a problem if the router does IPV6 lookups via he.net's own servers, what you care about is probably your LAN clients using your own server. If that includes your own router, no big deal.

No. 2 is still solvable but considerably harder: Netflix has taken the position that all traffic through he.net is an attempt at circumventing geoblocking and they're explicitly banning it. To state it even more clearly: forcing your local clients to use your own unbound instance won't help you at all if your unbound returns an IPV6 address for a Netflix-related query, since the traffic will then flow through your tunnel anyway.

There are a few guides out there but basically the trick is: two separate servers, one somehow configured not answer queries for netflix with AAAA records. I have learnt of this issue while setting up my server but I ignored it since I don't use netflix, for me it was simply too much pain for no gain.

1 Like

When I was still using he tunnel and had the same issues with netflix, I used this stanza in dnsmasq.d/ config

address=/nflxvideo.net/::
address=/nflximg.net/::
address=/nflxext.com/::
address=/netflix.net/::
address=/netflix.com/::
address=/nflxso.net/::
server=/netflix.com/#
server=/netflix.net/#
server=/nflxext.com/#
server=/nflximg.net/#
server=/nflxvideo.net/#
server=/nflxso.net/#

It is basically suppressing the AAAA responses and returns only A responses.

3 Likes

@aboaboit Hi and thanks for the detailed response!

Regarding issue #1: How do I ensure all my ipv6 clients use my local dns and not some external provider?

Issue #2 regarding Netflix using he.net:
The solution I found was configuring Unbound with some ipv6 dns values to point all Netflix domains to a bogus/localhost ipv6 address so that the dns lookup fails and forces the connection to Netflix using my ipv4 wan connection. My problem with this is it seems my ipv6 clients aren’t querying my local dns server. (Issue #1)

@trendy This is exactly what I did! The only difference is that it’s formatted to work with Unbound instead. Again, my main problem seems to be issue #1 :weary:

config dhcp 'lan'
...
        list dns 'fd00:bbbb::2'
        list dns 'fd00:bbbb::3'

If unbound is running on the OpenWrt you can leave it empty.

1 Like

This works for unbound in serial mode, that is when it is the sole upstream server for dnsmasq, which is answering queries from local clients. In parallel mode, where unbound is directly answering local clients unless the query concerns a local domain, this approach is not applicable. That is to say, use serial mode if you value simplicity over efficiency and you need to deal with Netflix :slight_smile:

Unless your local router happens to be ::c0:fefe because that was so silly it had to be done :wink:

I have added, also in "dhcp":

list dhcp_option 'option:dns-server,0.0.0.0'

thank you both for the replies!

I am using Unbound in parallel mode and I have "list dhcp_option 'option:dns-server,0.0.0.0'" configured in my /etc/config/dhcp file.

It still seams like unbound is ignoring my netflix ipv6 entries.

root@GateKeeper:/etc/config# cat unbound_ipv6_netflix.conf 
#Netflix IPV6 Unbound Filter

local-zone: "netflix.com" typetransparent
local-data: "netflix.com IN AAAA ::"

local-zone: "netflix.net" typetransparent
local-data: "netflix.net IN AAAA ::"

local-zone: "nflxext.com" typetransparent
local-data: "nflxext.com IN AAAA ::"

local-zone: "nflximg.net" typetransparent
local-data: "nflximg.net IN AAAA ::"

local-zone: "nflxvideo.net" typetransparent
local-data: "nflxvideo.net IN AAAA ::"

local-zone: "www.netflix.com" typetransparent
local-data: "www.netflix.com IN AAAA ::"

local-zone: "customerevents.netflix.com" typetransparent
local-data: "customerevents.netflix.com IN AAAA ::"

local-zone: "secure.netflix.com" typetransparent
local-data: "secure.netflix.com IN AAAA ::"

local-zone: "adtech.nflximg.net" typetransparent
local-data: "adtech.nflximg.net IN AAAA ::"

local-zone: "assets.nflxext.com" typetransparent
local-data: "assets.nflxext.com IN AAAA ::"

local-zone: "codex.nflxext.com" typetransparent
local-data: "codex.nflxext.com IN AAAA ::"

local-zone: "dockhand.netflix.com" typetransparent
local-data: "dockhand.netflix.com IN AAAA ::"

local-zone: "ichnaea.netflix.com" typetransparent
local-data: "ichnaea.netflix.com IN AAAA ::"

local-zone: "art-s.nflximg.net" typetransparent
local-data: "art-s.nflximg.net IN AAAA ::"

local-zone: "tp-s.nflximg.net" typetransparent
local-data: "tp-s.nflximg.net IN AAAA ::"

Do I still need to enter those DNS values?

config dhcp 'lan'
...
        list dns 'fd00:bbbb::2'
        list dns 'fd00:bbbb::3'

I guess setting all of this doesn't have any huge advantages at the moment. (using he.net for ipv6 support) It seems when some of my dhcp clients surf.. it randomly uses either my ipv4 wan (ISP) or ipv6 wan (HE.NET) to access the internet. So depending on the site they visit.. it sometimes thinks they're in the USA when in fact they're in Canada.

I'll still try to make this work... I just want to make sure all my ipv6 dhcp client query my unbound server for dns requests and NOT the he.net dns servers... Otherwise my parental filters won't work for them.

The fact that some sites are accessed via IPV4 while others via IPV6 is perfectly normal: if both are available, IPV6 is given priority. Also, it depends exactly on how the application queries the DNS: asking for ANY will give you, well, any record regarding a domain while asking for A / AAAA will return just that.

I can't really comment on unbound filtering since I am not using this feature but I do recall that there was a two-server setup involved in most suggestions. Out of curiosity, I did another quick search and found a new interesting approach.

Also, be aware that some clients deliberately use hardcoded servers.

Oh, by the way: how did you include your "netflix" file in the main unbound conf? I might be able to replicate the setup here and check if that works: I have blocked access to external DNS servers so it's either my server or no answer :slight_smile:

In in the /etc/unbound/unbound_src.conf file I added this line:
include: "/etc/config/unbound_ipv6_netflix.conf"
which is:

#Netflix IPV6 Unbound Filter

local-zone: "netflix.com" typetransparent
local-data: "netflix.com IN AAAA ::"

local-zone: "netflix.net" typetransparent
local-data: "netflix.net IN AAAA ::"

local-zone: "nflxext.com" typetransparent
local-data: "nflxext.com IN AAAA ::"

local-zone: "nflximg.net" typetransparent
local-data: "nflximg.net IN AAAA ::"

local-zone: "nflxvideo.net" typetransparent
local-data: "nflxvideo.net IN AAAA ::"

local-zone: "www.netflix.com" typetransparent
local-data: "www.netflix.com IN AAAA ::"

local-zone: "customerevents.netflix.com" typetransparent
local-data: "customerevents.netflix.com IN AAAA ::"

local-zone: "secure.netflix.com" typetransparent
local-data: "secure.netflix.com IN AAAA ::"

local-zone: "adtech.nflximg.net" typetransparent
local-data: "adtech.nflximg.net IN AAAA ::"

local-zone: "assets.nflxext.com" typetransparent
local-data: "assets.nflxext.com IN AAAA ::"

local-zone: "codex.nflxext.com" typetransparent
local-data: "codex.nflxext.com IN AAAA ::"

local-zone: "dockhand.netflix.com" typetransparent
local-data: "dockhand.netflix.com IN AAAA ::"

local-zone: "ichnaea.netflix.com" typetransparent
local-data: "ichnaea.netflix.com IN AAAA ::"

local-zone: "art-s.nflximg.net" typetransparent
local-data: "art-s.nflximg.net IN AAAA ::"

local-zone: "tp-s.nflximg.net" typetransparent
local-data: "tp-s.nflximg.net IN AAAA ::"

I seem to have limited ALL my dhcp dns request to ONLY use my local DNS server. That way any devices with hard coded DNS servers can't sneak by.

/etc/config/firewall

config redirect 'restrict_dns_53'
        option name 'restrict DNS, port 53'
        option src 'lan'
        option target 'DNAT'
        option dest 'lan'
        option dest_port '53'
        list proto 'tcp'
        list proto 'udp'
        option src_dport '53'

config redirect 'restrict_dns_853'
        option name 'restrict DNS, port 853'
        option src 'lan'
        option target 'DNAT'
        option dest 'lan'
        option dest_port '853'
        list proto 'tcp'
        list proto 'udp'
        option src_dport '853'

config redirect 'restrict_dns_5353'
        option name 'restrict DNS, port 5353'
        option src 'lan'
        option target 'DNAT'
        option dest 'lan'
        option dest_port '5353'
        list proto 'tcp'
        list proto 'udp'
        option src_dport '5353'

I'm assuming this will apply to ipv6 traffic too.. however I'm not sure.
When I did a nslookup on 1 of my workstations on my network I got:

nslookup www.netflix.com
Server:  GateKeeper.myhomedomain.ca
Address:  fd4a:d0d8:34a9::1

Non-authoritative answer:
Name:    www.netflix.com
Addresses:  ::
          34.210.217.170
          34.215.79.124
          52.33.134.215
          52.39.48.121
          52.41.135.17
          52.43.218.25
          52.89.214.214
          54.187.132.161

and tried to specify another DNS server I got the same results.

nslookup www.netflix.com 8.8.8.8
Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
Name:    www.netflix.com
Addresses:  ::
          34.210.217.170
          34.215.79.124
          52.33.134.215
          52.39.48.121
          52.41.135.17
          52.43.218.25
          52.89.214.214
          54.187.132.161

Even though it "seems" to be working.. whenever any of my kids try to load the Netflix APP on their devices they get that darn PROXY error message until I shutdown my wan6 interface. :frowning:

We discussed it thoroughly here for hijacking DNS queries that try to bypass the legitimate nameservers.

1 Like

@Cylac have yet to try it, sorry, will update perhaps this evening

@trendy I had a very quick look at the thread you linked, just adding here that I took a different approach: simply blocked connections to external servers. My reasoning is that any device that tries a hardcoded server first must also have a backup plan (like using the dhcp-supplied server) or simply stop working if that server ever fails, which is not great.

Exactly, that's why I went for the hijacking option. Given that most Android devices will do that (I still see them in the logs trying) I didn't want to have the extra delay for most of the queries until they timeout.

1 Like

I copied this rule directly to my file, then checked from the web interface:
immagine

It is shown as IPV4-only. I have verified that I can still query an external server if I dig google's IPV6 dns server. I asked for my router's address using the local name, which google doesn't know about, and it failed as expected. If I query 8.8.8.8 for netflix, then there is no AAAA reply, thanks to your extra unbound config.

TLDR with those rules, the Netflix app is still able to bypass your DNS server, get an IPV6 answer and promptly send traffic through the tunnel.

I'd say it is time to study the example linked by @trendy

thanks for testing it out! I'll check out the examples that were linked. Seems my issue is some ipv6 dns queries can still bypass my local dns server.

I'm also looking at testing out the NextDNS.io client they have for OpenWRT and dropping Unbound.

I'm assuming by these results that all my ipv6 dns queries are only being resolved locally.

This is on my Windows 10 workstation (a client)

cylac@CHAOS:~$ nslookup gatekeeper.myprivdomainname.ca 8.8.8.8
Server:         8.8.8.8
Address:        8.8.8.8#53

Name:   gatekeeper.myprivdomainname.ca
Address: 192.168.76.1

cylac@CHAOS:~$ nslookup gatekeeper.myprivdomainname.ca 2001:4860:4860::8888
Server:         2001:4860:4860::8888
Address:        2001:4860:4860::8888#53

Name:   gatekeeper.myprivdomainname.ca
Address: 192.168.76.1

I followed the instructions found here: https://openwrt.org/docs/guide-user/services/dns/intercept

I wasn't sure if it worked since I got this once I reloaded the firewall:

* Populating IPv6 nat table
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_lan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_lan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_wan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_wan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_rule'

It's probably not related.

Anyhow, I'm gonna guess that ANY ipv6 and ipv4 dns queries from any of my clients have to use my local dns.

Most likely so, that's why I am not sure switching server software will do anything beyond learning how to configure it :slight_smile:

Hmm, that guide doesn't look right, @trendy: only in UCI is the target "DNAT" or "SNAT", in iptables-save that becomes "REDIRECT" so the sed invocation for IPV6 would probably not work as intended, at least here it does not generate any IPV6 rules.

Assuming I don't have pi-hole and that the DNS server lives on the router, do I need all those rules or can one get by with a reduced set? For example that from the guide above, albeit with a revised "sed" translation?

The REDIRECT is almost the same as DNAT, but to redirect to the same device.

The REDIRECT target is used to redirect packets and streams to the machine itself. This means that we could for example REDIRECT all packets destined for the HTTP ports to an HTTP proxy like squid, on our own host. Locally generated packets are mapped to the 127.0.0.1 address. In other words, this rewrites the destination address to our own host for packets that are forwarded, or something alike. The REDIRECT target is extremely good to use when we want, for example, transparent proxying, where the LAN hosts do not know about the proxy at all.
Note that the REDIRECT target is only valid within the PREROUTING and OUTPUT chains of the nat table. It is also valid within user-defined chains that are only called from those chains, and nowhere else. The REDIRECT target takes only one option, as described below.
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080