Help with IPv6 edge case with Netflix and iPhone

Can anyone help with getting an iPhone to connect to Netflix by IPv4 only?

My Omnia is currently set up to use an HE IPv6 proxy since my provider doesn’t give me an IPv6 address.

On the iPhone, Netflix was complaining about the connection being behind a proxy or blocker when trying to play videos not “created” by Netflix. The Roku, XBox, Android and Wii don’t complain.

Looking around Netflix’s site, I find:

Are you using an IPv6 proxy tunnel?

Tunneling services that proxy an IPv6 connection over an IPv4 network are not supported by Netflix, and may trigger an error message. If you’re not sure if you are using one of these services, contact your internet service provider for assistance.

Note:

Netflix does support any IPv6 connection that is natively provided to you by your ISP.

I’m hoping for suggestion on how to get around this. I figure my options are

1. Prevent the iPhone from getting an IPv6 address
2. Block IPv6 traffic for the iPhone using a firewall

These seem to be brute force and not very sustainable in the long run.

Over really longer run I’d get normal IPv6 from ISP

For mid-term, if Netflix uses a small-ish set of domain names (subtrees), I expect it shouldn’t be too difficult to use DNS, i.e. make those appear as not having any IPv6 records. EDIT: to be clear, in kresd it’s relatively easy to have rules conditional on client’s address, so it could be specific to both the device and the names.

EDIT: I think suricata can terminate https connections based on server name – that might be another name-based option, but I’ve never worked with suricata.

Feedback: Netflix blocking connections using 6in4, for example HE.

What’s wrong with my post again?

It was basically repeating what was included in the original post, I believe.

And what confirmation?

Oh, this is interesting. Maybe something like this?

view:addr(192.168.1.25, 
  policy:add(function (req, query)
     if query:qname():find('netflix.com') then
        return policy.<return IPv4 only>
      end
   end)
rule)

Though I’m not sure how to filter for IPv4 only addresses. Somehow set up a Netflix zone with only IPv4 addreses in it?

Add line “option include_config ‘/etc/kresd/custom.conf’” in section “option include_config ‘/etc/kresd/custom.conf’” in file /etc/config/resolver.

Create file /etc/kresd/custom.conf with:

modules = { 'policy' }

local function filterAAAA (state, req)
        local qry = req:current()
        if qry.stype == kres.type.AAAA then
                return kres.DONE
        end
        return state
end

-- block netflix ipv6 resolution as it blocks tunnelbroker
policy.add(policy.suffix(filterAAAA, policy.todnames({'netflix.net.', 'netflix.com.', 'nflxext.com.', 'nflximg.com.', 'nflxvideo.net.', 'nflxso.net.'})))

Sweet. This works great. Thank you.

I also realized that this should probably be network wide and not just for the one host.

As a bonus I learned stuff about Knot resolver.

Yes. Nitpick: this way the AAAA answer doesn’t contain SOA, so clients get no TTL and might not cache the negative answer well, but that will probably cause no practical issues, especially on LAN.

sweet

pragmatic solution would be to simply get rid of the v6 tunnel.

You are 100% correct. Too bad my ISP doesn’t give me an IPv6 address.

i take it you want ipv6… but im curious, is there anything you need it for?

Strictly speaking, no. It was in response to other things not working very well without it though. Things like “apt” would have a hard time connecting if they got a AAAA response and wouldn’t failover to IPv4 A record.

All these workarounds are for things that are annoyances. Also, since my job is related to networking, I thought it would be beneficial to get some hands on experience with IPv6. Again, not something I need it for, but you get the picture.

Well worth the minor annoyances in my opinion and I’m quite grateful for this community in helping me come up with solutions.