Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsOnline streaming servicesNetflix to crack down on unblockers
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
1 | ... | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | ... | 70
eXDee
4033 posts

Uber Geek
+1 received by user: 1070

Trusted

  #1542417 26-Apr-2016 20:16
Send private message

Just a heads up to anyone using these services and fighting the unblocking war, some of the guidance given by these services very much looks like taking a sledgehammer to a problem until the wall comes down with no precision at all.

 

For example Unlocator has given guidance to its users to block IP ranges. In the past this was just google, but someone asked me for assistance with setting up their latest attempt at defeating the unblocking-blockers and it involves blocking entire subnets owned Netflix and a few other affiliated networks (I assume), and using rules to block /30, /24 and even /16.

 

This wouldn't be a sledgehammer solution if they owned a whole /16, it would indeed be fitting. But checking on just three of these /16 (255.255.0.0) rules, they only needed to block a /18, a /17 and a /20. The latter is 4096 addresses, and their /16 null route subnetting rule is going to block 65536 addresses instead, of hundreds of unrelated networks.

 

Changing your DNS to a third party (and therefore trusting your device/entire network with them) is one thing, but trusting these guys who are suggesting to randomly disable entire chunks of the IPv4 space is very concerning, as it just screams ignorance of how networking actually works.

 

In fact a great target of a malicious actor would be going after one of these services, still yet to see that happen publicly at least anyway.



watsonash
91 posts

Master Geek
+1 received by user: 14


  #1542579 27-Apr-2016 09:42
Send private message

eXDee:

 

Just a heads up to anyone using these services and fighting the unblocking war, some of the guidance given by these services very much looks like taking a sledgehammer to a problem until the wall comes down with no precision at all.

 

For example Unlocator has given guidance to its users to block IP ranges. In the past this was just google, but someone asked me for assistance with setting up their latest attempt at defeating the unblocking-blockers and it involves blocking entire subnets owned Netflix and a few other affiliated networks (I assume), and using rules to block /30, /24 and even /16.

 

This wouldn't be a sledgehammer solution if they owned a whole /16, it would indeed be fitting. But checking on just three of these /16 (255.255.0.0) rules, they only needed to block a /18, a /17 and a /20. The latter is 4096 addresses, and their /16 null route subnetting rule is going to block 65536 addresses instead, of hundreds of unrelated networks.

 

 

 

 

I do agree with what you are saying - the only issue is that to fully accurately describe the netflix range requires many blocks;

 

https://ipinfo.io/AS2906#blocks

 

I'll try the full range in on my er-lite sometime this week to see if it can handle it.

 

I was previously just blocking outbound TCP/UDP port 53 to the ranges you are referring to but last night for the first time, every piece of content on Netflix US on the Nvidia Shield TV was unplayable using unotelly Test region5 (all were giving a proxy detected message) - this is despite rewriting google and open dns.

 

It is getting to the stage where I can't really be bothered with it anymore and are considering just switching back to the NZ region or cancelling my netflix subscription all together.

 

 

eXDee
4033 posts

Uber Geek
+1 received by user: 1070

Trusted

  #1542619 27-Apr-2016 10:24
Send private message

If i was doing this i'd probably grab a cheap virtual server (eg digitalocean), set up my own VPN solution on it, and put a particular streaming device on a separate VLAN with default gateway out the VPN, so the only path is through that. I haven't tested this but the concept seems sound enough. You lose the national caches but given how things have been going I wouldn't be surprised if that becomes no longer a possibility with a standard unblocker either.



frudrew
143 posts

Master Geek
+1 received by user: 7


  #1542635 27-Apr-2016 10:57
Send private message

Good news! I think?

 

 

 

Haven't tried other regions on unotelly Netflix but I can now watch from US and Canada libraries. I try others when I get home tonight.

SaltyNZ
8862 posts

Uber Geek
+1 received by user: 9539

Trusted
2degrees
Lifetime subscriber

  #1542662 27-Apr-2016 11:23
Send private message

eXDee:

 

If i was doing this i'd probably grab a cheap virtual server (eg digitalocean), set up my own VPN solution on it, and put a particular streaming device on a separate VLAN with default gateway out the VPN, so the only path is through that. I haven't tested this but the concept seems sound enough. You lose the national caches but given how things have been going I wouldn't be surprised if that becomes no longer a possibility with a standard unblocker either.

 

 

This is a valid solution, but many/most hosting ranges are already blocked. If you want to discuss this option, get yourself onto the closed thread. :-)




iPad Pro 11" + iPhone 15 Pro Max + 2degrees 4tw!

 

These comments are my own and do not represent the opinions of 2degrees.

jarledb
Webhead
3319 posts

Uber Geek
+1 received by user: 1983

Moderator
ID Verified
Trusted
Lifetime subscriber

  #1542671 27-Apr-2016 11:38
Send private message

eXDee:

 

Just a heads up to anyone using these services and fighting the unblocking war, some of the guidance given by these services very much looks like taking a sledgehammer to a problem until the wall comes down with no precision at all.

 

For example Unlocator has given guidance to its users to block IP ranges. In the past this was just google, but someone asked me for assistance with setting up their latest attempt at defeating the unblocking-blockers and it involves blocking entire subnets owned Netflix and a few other affiliated networks (I assume), and using rules to block /30, /24 and even /16.

 

 

Unotelly is suggesting the same thing. They suggest/suggested (can't find the UnoTelly post on this anymore) blocking huge chunks of IP ranges.




Jarle Dahl Bergersen | Referral Links: Want $50 off when you join Octopus Energy? Use this referral code
Are you happy with what you get from Geekzone? Please consider supporting us by making a donation or subscribing.

HP

 
 
 
 

Shop now for HP laptops and other devices (affiliate link).
watsonash
91 posts

Master Geek
+1 received by user: 14


  #1542724 27-Apr-2016 12:40
Send private message

jarledb:

 

eXDee:

 

Just a heads up to anyone using these services and fighting the unblocking war, some of the guidance given by these services very much looks like taking a sledgehammer to a problem until the wall comes down with no precision at all.

 

For example Unlocator has given guidance to its users to block IP ranges. In the past this was just google, but someone asked me for assistance with setting up their latest attempt at defeating the unblocking-blockers and it involves blocking entire subnets owned Netflix and a few other affiliated networks (I assume), and using rules to block /30, /24 and even /16.

 

 

Unotelly is suggesting the same thing. They suggest/suggested (can't find the UnoTelly post on this anymore) blocking huge chunks of IP ranges.

 

 

There are still support notes on Unotelly's site detailing similar ranges;

 

http://help.unotelly.com/support/solutions/articles/192836-why-do-i-need-to-block-public-dns-lookups-

 

 

 

For my setup I've specified the full AS2906 ranges in entiriety on my er-lite and blocking outbound UDP/TCP port 53 to them so I'll check tonight to see how this goes - it was a pain putting in the following though ;-)

 

I'm sure anyone with Ubiquity kit will recongnise the syntax ;-)

 

address-group NetflixAS2906 {
address 23.246.0.0/18
address 23.246.2.0/24
address 23.246.3.0/24
address 23.246.4.0/24
address 23.246.5.0/24
address 23.246.6.0/24
address 23.246.7.0/24
address 23.246.8.0/24
address 23.246.9.0/24
address 23.246.10.0/24
address 23.246.11.0/24
address 23.246.12.0/24
address 23.246.13.0/24
address 23.246.14.0/24
address 23.246.15.0/24
address 23.246.16.0/24
address 23.246.17.0/24
address 23.246.18.0/24
address 23.246.20.0/24
address 23.246.22.0/24
address 23.246.23.0/24
address 23.246.24.0/24
address 23.246.25.0/24
address 23.246.26.0/24
address 23.246.27.0/24
address 23.246.28.0/22
address 23.246.28.0/24
address 23.246.29.0/24
address 23.246.30.0/24
address 23.246.31.0/24
address 23.246.36.0/24
address 23.246.37.0/24
address 23.246.38.0/24
address 23.246.39.0/24
address 23.246.40.0/24
address 23.246.41.0/24
address 23.246.42.0/24
address 23.246.44.0/24
address 23.246.46.0/24
address 23.246.47.0/24
address 23.246.48.0/24
address 23.246.49.0/24
address 23.246.50.0/24
address 23.246.51.0/24
address 23.246.54.0/24
address 23.246.55.0/24
address 23.246.56.0/24
address 23.246.57.0/24
address 23.246.58.0/24
address 23.246.59.0/24
address 23.246.62.0/24
address 23.246.63.0/24
address 37.77.184.0/24
address 37.77.185.0/24
address 37.77.186.0/24
address 37.77.187.0/24
address 37.77.188.0/24
address 37.77.189.0/24
address 37.77.190.0/24
address 37.77.191.0/24
address 45.57.0.0/17
address 45.57.2.0/24
address 45.57.3.0/24
address 45.57.4.0/24
address 45.57.5.0/24
address 45.57.6.0/24
address 64.120.128.0/17
address 66.197.128.0/17
address 108.175.32.0/24
address 108.175.33.0/24
address 108.175.34.0/24
address 108.175.35.0/24
address 108.175.38.0/24
address 108.175.39.0/24
address 108.175.40.0/24
address 108.175.41.0/24
address 108.175.42.0/24
address 108.175.43.0/24
address 108.175.44.0/24
address 108.175.46.0/24
address 108.175.47.0/24
address 185.2.220.0/24
address 185.2.221.0/24
address 185.2.222.0/24
address 185.2.223,0/24
address 185.9.188.0/24
address 185.9.190.0/23
address 192.173.64.0/20
address 192.173.64.0/24
address 192.173.80.0/20
address 192.173.96.0/20
address 192.173.112.0/20
address 198.38.96.0/24
address 198.38.97.0/24
address 198.38.98.0/24
address 198.38.99.0/24
address 198.38.102.0/24
address 198.38.108.0/24
address 198.38.109.0/24
address 198.38.110.0/24
address 198.38.111.0/24
address 198.38.112.0/24
address 198.38.113.0/24
address 198.38.114.0/24
address 198.38.115.0/24
address 198.38.116.0/24
address 198.38.117.0/24
address 198.38.118.0/24
address 198.38.119.0/24
address 198.38.120.0/24
address 198.38.121.0/24
address 198.38.122.0/24
address 198.38.123.0/24
address 198.38.124.0/24
address 198.38.125.0/24
address 198.45.48.0/24
address 198.45.49.0/24
address 198.45.52.0/24
address 198.45.53.0/24
address 198.45.54.0/24
address 198.45.55.0/24
address 198.45.56.0/24
address 198.45.57.0/24
address 198.45.58.0/24
address 198.45.61.0/24
address 198.45.62.0/24
address 198.45.63.0/24
address 208.75.79.0/24
}

 

 

 

 

michaelmurfy
meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator
ID Verified
Trusted
Lifetime subscriber

  #1542863 27-Apr-2016 15:40
Send private message

Ugh. You can do this with a single rule on the EdgeRouter (dst-nat port 53 redirect). Doing it that way makes no sense. DM me if you want access to the private forums.




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

watsonash
91 posts

Master Geek
+1 received by user: 14


  #1542924 27-Apr-2016 16:57
Send private message

michaelmurfy: Ugh. You can do this with a single rule on the EdgeRouter (dst-nat port 53 redirect). Doing it that way makes no sense. DM me if you want access to the private forums.

 

nah not quite - a dst-nat 53 rdirect chucks all the dns traffic and not just the traffic relating to the netflix ranges.

 

I don't believe private forums are the way to go on this stuff - the subject is widely discussed on the whirlpool forums and about every other reference to be honest - the answer will always be in the public domain.

 

Something that works today is unlikely to work next week/year etc, the DNS providers are testament to that.

 

The golden days of having netflix US etc from anywhere are over. It's likely HBO et al will follow suit (why wouldn't they).

 

To be honest there is more interesting content on Freeview and BBC iplayer.

 

Anyhow each to their own.

 

Netflix hasn't even started on what they could do to further disrupt people...

 

 

charliebrownnz
79 posts

Master Geek
+1 received by user: 53


  #1542981 27-Apr-2016 19:25
Send private message

eXDee:

 

Just a heads up to anyone using these services and fighting the unblocking war, some of the guidance given by these services very much looks like taking a sledgehammer to a problem until the wall comes down with no precision at all.

 

For example Unlocator has given guidance to its users to block IP ranges. In the past this was just google, but someone asked me for assistance with setting up their latest attempt at defeating the unblocking-blockers and it involves blocking entire subnets owned Netflix and a few other affiliated networks (I assume), and using rules to block /30, /24 and even /16.

 

This wouldn't be a sledgehammer solution if they owned a whole /16, it would indeed be fitting. But checking on just three of these /16 (255.255.0.0) rules, they only needed to block a /18, a /17 and a /20. The latter is 4096 addresses, and their /16 null route subnetting rule is going to block 65536 addresses instead, of hundreds of unrelated networks.

 

Changing your DNS to a third party (and therefore trusting your device/entire network with them) is one thing, but trusting these guys who are suggesting to randomly disable entire chunks of the IPv4 space is very concerning, as it just screams ignorance of how networking actually works.

 

In fact a great target of a malicious actor would be going after one of these services, still yet to see that happen publicly at least anyway.

 

 

 

 

Unlocator are only suggesting that if you still have issues getting US netflix with thier beta. I work with a couple of people using them without having to resort to blocking any IP's. I'm also using a vpn that got around the Netflix block as well. I think we are seeing the unblockers adapt to Netflix's new measures. It is probably always going to be a game of cat and mouse from now on - if anything this has taught me is its definitely easier to do this if you are using a media tv vs a smart tv, chromecast, apple tv, console etc. If I owned a computer shop, I would be doing a hard sell on cheap media pc's, they are fantastic and can turn a normal tv into a very smart and easy to use tv.

michaelmurfy
meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator
ID Verified
Trusted
Lifetime subscriber

  #1543139 28-Apr-2016 00:54
Send private message

watsonash:

 

michaelmurfy: Ugh. You can do this with a single rule on the EdgeRouter (dst-nat port 53 redirect). Doing it that way makes no sense. DM me if you want access to the private forums.

 

nah not quite - a dst-nat 53 rdirect chucks all the dns traffic and not just the traffic relating to the netflix ranges.

 

I don't believe private forums are the way to go on this stuff - the subject is widely discussed on the whirlpool forums and about every other reference to be honest - the answer will always be in the public domain.

 

Something that works today is unlikely to work next week/year etc, the DNS providers are testament to that.

 

The golden days of having netflix US etc from anywhere are over. It's likely HBO et al will follow suit (why wouldn't they).

 

To be honest there is more interesting content on Freeview and BBC iplayer.

 

Anyhow each to their own.

 

Netflix hasn't even started on what they could do to further disrupt people...

 

Right... Guess you have not been following the Whirlpool forums too much then as there is so much incorrect information being posted on there. Since I use dnscrypt my rule is as follows to ensure DNS (port 53 traffic) doesn't leak my network from anything but some VM's:

 

00:45 mmurphy@charmander ~ $ show service dns
 forwarding {
 cache-size 10
 listen-on eth1
 listen-on eth2
 name-server 192.168.2.8
 name-server 192.168.2.10
 }
 
00:45 mmurphy@charmander ~ $ show service nat rule 3
 description "DNS Forward"
 destination {
 port 53
 }
 inbound-interface eth1
 inside-address {
 address 192.168.2.1
 port 53
 }
 log disable
 protocol tcp_udp
 source {
 address 192.168.2.20-192.168.2.254
 }
 type destination

 

Also, generally Google is showing mostly incorrect, misguided or incomplete information. As previously stated on here keep your solutions to yourself since Geekzone ranks very highly on Google and providers in general are trying to keep information behind closed doors for a reason. It has already been proven people (on here, other forums, reddit etc) talking about viable easy to follow solutions are just causing Big Red to block those solutions - honestly, seen it too many times now to count where I, or others have posted a solution then it stops working after a week (wonder why...).

 

As per your last suggestion "Netflix hasn't even started on what they could do to further disrupt people..." don't give them a way how - simple...




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

 
 
 
 

Stream your favourite shows now on Apple TV (affiliate link).
Regs
4066 posts

Uber Geek
+1 received by user: 206

Trusted
Snowflake

  #1543143 28-Apr-2016 01:21
Send private message

SaltyNZ:

 

eXDee:

 

If i was doing this i'd probably grab a cheap virtual server (eg digitalocean), set up my own VPN solution on it, and put a particular streaming device on a separate VLAN with default gateway out the VPN, so the only path is through that. I haven't tested this but the concept seems sound enough. You lose the national caches but given how things have been going I wouldn't be surprised if that becomes no longer a possibility with a standard unblocker either.

 

 

This is a valid solution, but many/most hosting ranges are already blocked. If you want to discuss this option, get yourself onto the closed thread. :-)

 

 

yeah, most public cloud hosting ranges blocked. best option is to find a friend in the US with a gig fibre connection that can host a vpn concentrator for you and wont notice the passthrough traffic :)

 

 




Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

eliema
20 posts

Geek
+1 received by user: 3


  #1544016 29-Apr-2016 13:51
Send private message

I was continuing with UnoTelly as I still got Netflix US on my android and PC, but when that stopped a few days ago I trialled dns4me (supposedly unaffected), which has returned service to those two devices but that's all.

 

I'm not sure how much fight I have left in me to keep chasing Netflix US, but can I get a invite/link to the private forum? If there are easy enough work arounds I'll try them

timbosan
2199 posts

Uber Geek
+1 received by user: 294

Subscriber

  #1544034 29-Apr-2016 14:42
Send private message

eliema:

 

I was continuing with UnoTelly as I still got Netflix US on my android and PC, but when that stopped a few days ago I trialled dns4me (supposedly unaffected), which has returned service to those two devices but that's all.

 

I'm not sure how much fight I have left in me to keep chasing Netflix US, but can I get a invite/link to the private forum? If there are easy enough work arounds I'll try them

 



Did you follow the instructions on the dns4me website?  i.e. more than just changing your DNS address?

eliema
20 posts

Geek
+1 received by user: 3


  #1544156 29-Apr-2016 18:24
Send private message

timbosan:

 

eliema:

 

I was continuing with UnoTelly as I still got Netflix US on my android and PC, but when that stopped a few days ago I trialled dns4me (supposedly unaffected), which has returned service to those two devices but that's all.

 

I'm not sure how much fight I have left in me to keep chasing Netflix US, but can I get a invite/link to the private forum? If there are easy enough work arounds I'll try them

 



Did you follow the instructions on the dns4me website?  i.e. more than just changing your DNS address?

 

 

If you're talking about the instructions for static routes linked on their front page then yes, UnoTelly had the same thing going for a while

1 | ... | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | ... | 70
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright