HE IPv6 - Netflix

Please follow the below template, it will help us to help you!

Expected Behaviour:

BLOCKINGMODE=NULL
Blocks AAAA

Actual Behaviour:

Does not appear to work, at least not in a consistent manner. (cleared Pi/client cache)
Switched to dev branch and same behavior. FTL is running.
Added REGEX but Netflix is inconsistent in their naming, so it works with anything prefixed with IPv6.


BLOCKINGMODE=NULL

;; QUESTION SECTION:
;netflix.com. IN ANY
;netflix.net. IN ANY
;nflxext.com. IN ANY
;nflxvideo.net. IN ANY

;; ANSWER SECTION:
netflix.com. 2 IN AAAA ::
netflix.net. 2 IN AAAA ::
nflxext.com. 2 IN AAAA ::
nflxvideo.net. 2 IN AAAA ::
nflxso.net. 2 IN AAAA ::


REGEX:

^ipv6..netflix.((com)|(net))$
^ipv6..nflxext.((com)|(net))$
^ipv6..nflxso.((com)|(net))$
^ipv6..nflxvideo.((com)|(net))$


Pihole-FLT.conf would be ideal but registry appears to work but only with domains that have ipv6 prefixed.

Debug Token:

https://tricorder.pi-hole.net/dv8l2c9gzv

I don’t fully understand the problem you are having. Do you have some output from the log at /var/log/pihole.log that will show the problem?

What are you trying to accomplish with this regex?

^ipv6\.\.netflix\.((com)|(net))$

There was an attempt at crafting a regex to block IPv6 domains for Netflix due to their tunnel/proxy block (HE IPv6 tunnel). It doesn’t work too well :slight_smile:.

PiHole appears to respond with the IPv6 instead of the Null reply as configured in pihole-ftl.conf.
Preference is to configure via pihole-ftl.conf due the to complexity and lack in consistency with Netflix IPv6 hosted content.

Mar 21 14:37:36 dnsmasq[20211]: query[A] ipv6-c010-mia006-ix.1.oca.nflxvideo.net from 10.61.6.50
Mar 21 14:37:36 dnsmasq[20211]: forwarded ipv6-c010-mia006-ix.1.oca.nflxvideo.net to 2620:fe::9
Mar 21 14:37:36 dnsmasq[20211]: query[AAAA] ipv6-c010-mia006-ix.1.oca.nflxvideo.net from 10.61.6.50
Mar 21 14:37:36 dnsmasq[20211]: forwarded ipv6-c010-mia006-ix.1.oca.nflxvideo.net to 2620:fe::9
Mar 21 14:37:36 dnsmasq[20211]: validation result is INSECURE
Mar 21 14:37:36 dnsmasq[20211]: reply ipv6-c010-mia006-ix.1.oca.nflxvideo.net is 45.57.103.134
Mar 21 14:37:36 dnsmasq[20211]: validation result is INSECURE
Mar 21 14:37:36 dnsmasq[20211]: reply ipv6-c010-mia006-ix.1.oca.nflxvideo.net is 2a00:86c0:2103:2103::134

Thanks.

Example:

^ipv6.+\.netflix\.(com|net)$
1 Like

In these lines of the log, a client at IP 10.61.6.50 is requesting the specific domain shown (both via IPv4 and IPv6). Your Pi-hole is not blocking this domain, so Pi-hole correctly returned both IP’s.

What is is specifically that you want to block? All of Netflix, are just some of the Netflix domains? Only those domains that are unique to IPv6?

msatter thank you, almost correct :slight_smile:. Still having my cigar though…

jfb I’m trying to block the IPv6 responses for Netflix because they believe the HE IPv6 tunnel is to circumvent their regional blocks. The regex is not a catch all for their IPv6 domains and would ideally be blocked via the domain AAAA blocking mode. (that appears it would work consistently) but I have not had success, which is why I went the regex route.

Lastly, whenever I pihole -g, it reports some syntax errors but it doesn’t appear to differ (maybe?) from the blocking mode linked above.

/etc/pihole/pihole-FTL.conf: line 3: syntax error near unexpected token `;;'
/etc/pihole/pihole-FTL.conf: line 3: `;; QUESTION SECTION:'

16:28:12: query[AAAA] ipv6-c159-sea001-ix.1.oca.nflxvideo.net from 10.61.6.50
16:28:12: regex blacklisted ipv6-c159-sea001-ix.1.oca.nflxvideo.net is 0.0.0.0
16:28:12: query[AAAA] ipv6-c001-bel001-interconnect-br-isp.1.oca.nflxvideo.net from 10.61.6.50
16:28:12: regex blacklisted ipv6-c001-bel001-interconnect-br-isp.1.oca.nflxvideo.net is 0.0.0.0
16:28:12: query[AAAA] ipv6-c159-sea001-ix.1.oca.nflxvideo.net from fd27:70fa:5c1d:0:ec35:1aed:a0d:65f9
16:28:12: regex blacklisted ipv6-c159-sea001-ix.1.oca.nflxvideo.net is ::
16:28:12: validation result is INSECURE
**16:28:12: reply occ-0-2322-3996.1.nflxso.net is 2804:1434:cafe::2**
16:28:12: query[AAAA] ipv6-c159-sea001-ix.1.oca.nflxvideo.net from 10.61.6.50
16:28:12: regex blacklisted ipv6-c159-sea001-ix.1.oca.nflxvideo.net is 0.0.0.0
16:28:12: query[AAAA] ipv6-c001-bel001-interconnect-br-isp.1.oca.nflxvideo.net from 10.61.6.50
16:28:12: regex blacklisted ipv6-c001-bel001-interconnect-br-isp.1.oca.nflxvideo.net is 0.0.0.0

Here is another, hopefully I’m interpreting this correctly…

17:22:31: regex blacklisted ipv6-c036-lax009-ix.1.oca.nflxvideo.net is 0.0.0.0
17:22:32: query[A] ipv6-c036-lax009-ix.1.oca.nflxvideo.net from 10.61.6.50
17:22:32: regex blacklisted ipv6-c036-lax009-ix.1.oca.nflxvideo.net is 0.0.0.0
17:22:32: query[AAAA] ipv6-c036-lax009-ix.1.oca.nflxvideo.net from 10.61.6.50
17:22:32: regex blacklisted ipv6-c036-lax009-ix.1.oca.nflxvideo.net is 0.0.0.0
17:22:32: query[AAAA] ipv6-c036-lax009-ix.1.oca.nflxvideo.net from 10.61.6.50
17:22:32: regex blacklisted ipv6-c036-lax009-ix.1.oca.nflxvideo.net is 0.0.0.0
17:22:32: query[A] occ-0-990-987.1.nflxso.net from 10.61.6.50
17:22:32: forwarded occ-0-990-987.1.nflxso.net to 149.112.112.112
17:22:32: query[AAAA] occ-0-990-987.1.nflxso.net from 10.61.6.50
17:22:32: forwarded occ-0-990-987.1.nflxso.net to 149.112.112.112
17:22:32: query[A] occ-0-990-987.1.nflxso.net from fd27:70fa:5c1d:0:ec35:1aed:a0d:65f9
17:22:32: forwarded occ-0-990-987.1.nflxso.net to 149.112.112.112
17:22:32: query[AAAA] occ-0-990-987.1.nflxso.net from fd27:70fa:5c1d:0:ec35:1aed:a0d:65f9
17:22:32: forwarded occ-0-990-987.1.nflxso.net to 149.112.112.112
17:22:32: validation result is INSECURE
17:22:32: reply occ-0-990-987.1.nflxso.net is 198.38.98.163
17:22:32: reply occ-0-990-987.1.nflxso.net is 198.38.98.177
17:22:32: validation result is INSECURE
17:22:32: reply occ-0-990-987.1.nflxso.net is 2a00:86c0:98:ae::171
17:22:32: reply occ-0-990-987.1.nflxso.net is 2a00:86c0:98:ae::178
17:22:32: validation result is INSECURE
17:22:32: reply occ-0-990-987.1.nflxso.net is 198.38.98.169
17:22:32: reply occ-0-990-987.1.nflxso.net is 198.38.98.174
17:22:32: validation result is INSECURE
17:22:32: reply occ-0-990-987.1.nflxso.net is 2a00:86c0:98:ae::171
17:22:32: reply occ-0-990-987.1.nflxso.net is 2a00:86c0:98:ae::178

Regex reference for future sleuths:

^ipv6.+\.netflix\.((com)|(net))$
^ipv6.+\.nflxext\.((com)|(net))$
^ipv6.+\.nflxso\.((com)|(net))$
^ipv6.+.nflxvideo\.((com)|(net))$

Please upload a new debug log and post the token. Also, please post the output of the following:

cat /etc/pihole/pihole-FLT.conf

https://tricorder.pi-hole.net/iyiv2zmewd

/etc/pihole/pihole-FTL.conf

BLOCKINGMODE=NULL

;; QUESTION SECTION:
;netflix.com.                  IN      ANY
;netflix.net.                  IN      ANY
;nflxext.com.                  IN      ANY
;nflxvideo.net.                IN      ANY


;; ANSWER SECTION:
netflix.com.            2       IN      AAAA    ::
netflix.net.            2       IN      AAAA    ::
nflxext.com.            2       IN      AAAA    ::
nflxvideo.net.          2       IN      AAAA    ::
nflxso.net.             2       IN      AAAA    ::

PRIVACYLEVEL=0



What is the purpose of these entries in your FTL configuration file? These are not entries that FTL recognizes as configuration options.

Blocking mode documentation gives the impression that it’s configured in:

/etc/pihole/pihole-FTL.conf

It’s intent is to block the actual IPv6 responses and have the client failover over to IPv4.

That’s not how it works. You select a blocking mode with a single configuration line in file /etc/pihole/pihole-FTL.conf. Once that blocking mode is selected, the blocking behavior works as shown in the examples on the documentation page.

You have copied the examples into the configuration file, which is causing the error you are seeing with line 3 of the file.

The NULL blocking mode will work for you. The desired domains are being blocked by Pi-hole (in your case via regex), and the response to the query is either 0.0.0.0 (for IPv4) or :: (for IPv6). In either case, no valid IP is returned and the client has no IP to load.

Your configuration file should read as follows. Make the change, save and exit. Then restart FTL with sudo service pihole-FTL restart

BLOCKINGMODE=NULL
PRIVACYLEVEL=0

You can do double grouping: ((com)|(net))

37 steps

Full match	0-24	ipv6asdfghjk.netflix.com
Group 1.	21-24	com
Group 2.	21-24	com

or

You can do single grouping: (com|net)

35 steps:

Full match	0-24	ipv6asdfghjk.netflix.com
Group 1.	21-24	com
1 Like

msatter, it did not like that change, killed eth0 config and finally got it back together. I’m sure the single grouping would have worked but for whatever reason changing it stopped all queries from being resolved (also BLOCKINGMODE=IP I’m sure had something to do with it) , had to triage eth0 and pihole -r .

Anyway It doesn’t sound like I can deny the AAAA independently from the A for the same domain. For example if xyz.netflix.com was queried, I can’t blackhole the IPv6 for that domain and permit the IPv4 response.

I don’t think I can do what I want (block AAAA but permit A for all Netflix variants), so via OpenWRT I setup the PI on an IPv6/4 VLAN and the clients on an IPv4 VLAN. It works but not perfectly (hardware/router can’t have clients query Pi directly). Thanks for the assistance.