DJBDNS and Netflix - Outside USA.

Introduction

In Europe most countries have access to Netflix by now. However the content presented is still lacking much compared to what is available in the USA.

Several services on the net offer DNS + VPN / Proxy solutions to circumvent this. However, if you are like me, you do not really feel ok with giving some service on the net your entire internet traffic for tunneling. In theory they could sniff logins to other services made from a device using their DNS / Tunnel setup.

Background

I was reading this article and decided to do it one better: In place of merely using the host file on a single pc or server I decided to configure it directly on my own DNS server and apply it network wide on my own LAN.

Goal

So the goal here is to *only* use their DNS/Proxy for Netflix specifically. The rest of the DNS lookups will resolve as they have done always.

The end result is a DNS setup that will allow you to use a Proxy Service in the USA for Netflix alone.

Prerequisites 

1.  A DNS + Proxy / VPN service. I am currently using the excellent service from Unblock US. You could also buy a real VPN solution or even a VPS server in the USA, so that you could do the entire config by yourself.
2. Your own configured DNS server on your local network. I am using DJBDNS. 
3. A good understanding of things related to IP networking and DNS configuration.

DNS configuration

dnscache

You need to take over two domains for hosting on your own DNS:

1. netflix.com
2. netflix.net

[user@dnsserver /service/dnscache/root]$ ls -la servers/

total 1

drwxr-sr-x  2 root  wheel  512 17 mar 16:47 .

drwxr-sr-x  6 root  wheel  512  4 jan  2008 ..

-rw-r--r--  1 root  wheel   10 12 nov  2003 1.168.192.in-addr.arpa

-rw-r--r--  1 root  wheel  168  4 feb 20:06 @

-rw-r--r--  1 root  wheel   10 13 nov  2003 barnabas.dk

-rw-r--r--  1 root  wheel   10 17 mar 16:47 netflix.com

-rw-r--r--  1 root  wheel   10 17 mar 16:47 netflix.net

You will probably already have the two first files. The first one may be named differently because it is the reverse DNS entry for hosts on your local network. The "@" file contains a list of root nameservers on the net.

The barnabas.dk file contains the IP address of the DNS server hosting that particular domain. The domain resolves differently on my LAN than it does out on the net. This makes it easier to do development of new stuff locally without making DNS changes visible on the net. The DNS server is running on the loopback (127.0.0.1) interface of the DNS server host. So that is the IP put into it. Now edit a similar file to a netflix.com and a netflix.net.

Restart your server nicely with a kill -HUP <pid>.

tinydns

This is where things become a little more tricky, because we now want the netflix.com and netflix.net CNAME domains to point to the correct IP addresses with unblock-us. This is done to send IP traffic via their servers onto the ones with Netflix. So edit the "data" file in your tinydns server or use the DJBDNS tools to do this on the command line.

# Forward zone

Zbarnabas.dk:sauron.barnabas.dk:hostmaster.barnabas.dk::::::::

Znetflix.com:sauron.barnabas.dk:hostmaster.barnabas.dk::::::::

Znetflix.net:sauron.barnabas.dk:hostmaster.barnabas.dk::::::::

# NS records: primary nameservers

&barnabas.dk::sauron.barnabas.dk:::

&netflix.com::sauron.barnabas.dk:::

&netflix.net::sauron.barnabas.dk:::

#netflix aname

=www.netflix.com:54.243.127.15:36000::

=signup.netflix.com:23.21.78.133:36000::

=movies.netflix.com:204.12.200.61:36000:: 

=cbp-us.nccp.netflix.com:204.12.200.65:36000::

=movies.netflix.com:204.12.200.61:36000:: 

=cbp-us.nccp.netflix.com:204.12.200.65:36000::

=movies1.netflix.com:204.12.200.130:36000::

=movies2.netflix.com:204.12.200.104:36000::

=netflix.com:204.12.200.14:36000::

=moviecontrol.netflix.com:204.12.200.7:36000::

=api-global.netflix.com:204.12.200.88:36000::

=api-us.netflix.com:204.12.200.83:36000::

=api.netflix.com:204.12.200.2:36000::

=www2.netflix.com:204.12.200.100:36000::

=redirects-us.nccp.netflix.com:204.12.200.119:36000::

=redirects-eu.nccp.netflix.com:204.12.200.118:36000::

=nccp-nrdp-31.cloud.netflix.net:204.12.200.26:36000::

=ios.nccp.netflix.com:204.12.200.92:36000::

=atv.nccp.netflix.com:204.12.200.14:36000::

=uiboot.netflix.com:204.12.200.11:36000::

=signup.netflix.com:204.12.200.39:36000::

=iphone-api.netflix.com:204.12.200.14:36000::

=nccp-fuji.netflix.com:204.12.200.14:36000::

=nccp-fuji.cloud.netflix.net:204.12.200.27:36000::

=nccp-nato.cloud.netflix.net:204.12.200.22:36000::

=nccp-nato.netflix.com:204.12.200.14:36000::

=mcdn.netflix.com:204.12.200.14:36000::

=secure.netflix.com:204.12.200.12:36000::

=htmltvui-api.netflix.com:204.12.200.13:36000::

=nccp-ps3.netflix.com:204.12.200.14:36000::

=nccp-ps3.cloud.netflix.net:204.12.200.18:36000::

=api-user.netflix.com:204.12.200.17:36000::

=mobile-api.netflix.com:204.12.200.42:36000::

=api-public.netflix.com:204.12.200.14:36000::

=dvd.netflix.com:204.12.200.14:36000::
=android.nccp.netflix.com:204.12.200.93:36000::

If you bother you could setup an an ANAME record for each of the IPs in that list and then CNAME each of the hosts needed. That would be the nicest way to do it but I am lazy and like cut and paste ..

After editing the data file run make. This will produce the actual file for tinydns to use containing your new entries.

You should now restart your tinydns server like you did the dnscache server.

Conclusion

You should now be able to run your Netflix app using Unblock-US Proxy services and your *own* DNS server putting the control back where it belongs - in your own hands.

If you have corrections, improvements or additions to the above feel free to post them here.

FAQ

1. Q: "What happens if I do this and Netflix or Unblock US changes IPs." A: "You are screwed basically. You asked for full control now you have it. You should proably use a different public DNS to find the correct ip values."
2. Q: "This makes my xyz device do the two step shuffle instead of showing me Netflix, what should I do" A: "Fix the DNS setup and mail / post your findings here once you have a working solution"

Errata

It seems the later versions of the netflix app also requires:

api.crittercism.com

The list of CNAMES above is severely outdated. The method is, however, still sound.