Blog

Fixing Netflix on Apple TV when using an IPv6 tunnel

At the 27p office we have a lot of different devices and software for streaming video testing (or watching), including Netflix. Recently we IPv6-enabled the network via a Hurricane Electric (https://tunnelbroker.net) tunnel. However, Netflix block the HE tunnel endpoints (https://forums.he.net/index.php?topic=3564.0): “You seem to be using an unblocker or proxy. Please turn off any of these services and try again. For more help, visit netflix.com/proxy. Code:3-5059”

This seems reasonable, people can tunnel to other locations using HE endpoints.

The problem is that Apple TV automatically picks up the IPv6 router advertisements, and there’s no way of turning that off. The Apple TV also uses temporary IPv6 addresses that can change to contact Netflix over the tunnel. So we came up with two different ways of solving this problem but neither are actually ideal.

First way was to block the Apple TV’s IPv6 address on our router to IPv6 endpoints, but it seems that the Apple TV changes its address frequently enough that this is annoying to change all the time.

Second way was to prevent the Apple TV learning Netflix’s IPv6 addresses in the first place, so it would connect over IPv4. We use a Synology DiskStation as an internal DNS server, so we were able to add a tiny bit of configuration for bind9’s response-policy (http://www.zytrax.com/books/dns/ch7/rpz.html) to send only IPv4 responses to certain DNS requests. It’s not possible to filter only AAAA responses for a particular name, but you can add all the IPv4 responses for a name. This is not ideal because Netflix/AWS could change the addresses for their load balancers at any time, but so far this has been stable. It’s also easy enough to change because it can be done through the Synology web UI.

  1. Create a new Master Zone named srpz.zone with any master DNS server.
  2. Create A-type resource records for ichnaea.netflix.com and ios.nccp.netflix.com for each of the current A records for those two hosts. There will probably be about eight of them.
  3. SSH into the Synology and open /var/packages/DNSServer/target/named/etc/conf/named.options.user.conf
  4. Put in the line “response-policy { zone “srpz.zone”; };”
  5. Restart the DNS server, clicking “Clear” in the Log section of the UI is a quick way to do this.

Now when any device asks for either of those two names involved in the tunnel checking process, it will only get the IPv4 addresses, and then Netflix will play back fine.

No Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Comment replies are not available offline