We've recently started having issues using Netflix again and this appears to be because they are now using AWS servers that do not directly resolve under any of the Netflix domains.
For the android netflix app we have 'android-appboot.netflix,com'
nslookup to a pihole returns -
nslookup for netflix,com
I would guess that this would be because the CNAME entries are then looked up separately and therefore the netflix AAAA block from the upstream is not applied as they are under amazonaws,com instead of a netflix domain.
Of course, the piholes are several steps removed
piholes that forward 2x bind servers that selectively forward netflix domains to a different IPv4 on the secondary bind that does not resolve AAAA records. The same results are given if nslookups are done against the two upstream bind servers. Running nslookup directly against the no-aaaa ipv4 dns resolves all queries as ipv4 regardless of underlying cname records.
Under /etc/dnsmasq.d on all piholes I have added to my existing custom config file server entries -
piholes were restarted and nslookup was again ran against them. The results did not change.
Is it possible that we could retain the context (as a lookup under netflix,com) of the original lookup and resolve the aws domains with the same .241 server instead of forwarding it to one of the two bind servers for resolution? Presently to restore netflix I have blocked two IPv6 AS allocations for amazon. I could also intercept the amazonaws.com hosts or block the IPv6 addresses they resolve to but the naming scheme leads me to believe that these hosts/ipv6 addresses could easily change and thus breaking netflix again.