Can anyone help with getting an iPhone to connect to Netflix by IPv4 only?
My Omnia is currently set up to use an HE IPv6 proxy since my provider doesn’t give me an IPv6 address.
On the iPhone, Netflix was complaining about the connection being behind a proxy or blocker when trying to play videos not “created” by Netflix. The Roku, XBox, Android and Wii don’t complain.
Tunneling services that proxy an IPv6 connection over an IPv4 network are not supported by Netflix, and may trigger an error message. If you’re not sure if you are using one of these services, contact your internet service provider for assistance.
Note:
Netflix does support any IPv6 connection that is natively provided to you by your ISP.
I’m hoping for suggestion on how to get around this. I figure my options are
Prevent the iPhone from getting an IPv6 address
Block IPv6 traffic for the iPhone using a firewall
These seem to be brute force and not very sustainable in the long run.
Over really longer run I’d get normal IPv6 from ISP
For mid-term, if Netflix uses a small-ish set of domain names (subtrees), I expect it shouldn’t be too difficult to use DNS, i.e. make those appear as not having any IPv6 records. EDIT: to be clear, in kresd it’s relatively easy to have rules conditional on client’s address, so it could be specific to both the device and the names.
EDIT: I thinksuricata can terminate https connections based on server name – that might be another name-based option, but I’ve never worked with suricata.
Add line “option include_config ‘/etc/kresd/custom.conf’” in section “option include_config ‘/etc/kresd/custom.conf’” in file /etc/config/resolver.
Create file /etc/kresd/custom.conf with:
modules = { 'policy' }
local function filterAAAA (state, req)
local qry = req:current()
if qry.stype == kres.type.AAAA then
return kres.DONE
end
return state
end
-- block netflix ipv6 resolution as it blocks tunnelbroker
policy.add(policy.suffix(filterAAAA, policy.todnames({'netflix.net.', 'netflix.com.', 'nflxext.com.', 'nflximg.com.', 'nflxvideo.net.', 'nflxso.net.'})))
Yes. Nitpick: this way the AAAA answer doesn’t contain SOA, so clients get no TTL and might not cache the negative answer well, but that will probably cause no practical issues, especially on LAN.
Strictly speaking, no. It was in response to other things not working very well without it though. Things like “apt” would have a hard time connecting if they got a AAAA response and wouldn’t failover to IPv4 A record.
All these workarounds are for things that are annoyances. Also, since my job is related to networking, I thought it would be beneficial to get some hands on experience with IPv6. Again, not something I need it for, but you get the picture.
Well worth the minor annoyances in my opinion and I’m quite grateful for this community in helping me come up with solutions.