25th April 2014, 10:17 PM #1OPSpecial Member
Senior PosterJoin Date : Jan 2011Location : Testing..Mobile : Nokia N8-00 v14.002 PR1.2Posts : 6,071Thanks: 2,700
- Thanked 1,038 Times in 703 PostsRep Power : 15Reputation : (2731)
Netflix DNS-unblocking without SNI for your Xbox 360, PS3, WDTV, Samsung TV
You will need some sort of Linux server at home to do this. Iím using a Raspberry Pi Linux mini computer which is up 24/7 on my LAN. And of course you will need a remote Linux server with an IP address registered in the U.S. You can get a low-end virtual private server for as low as $5/year. Unfortunately, itís almost impossible to come up with a step-by-step tutorial because every LAN setup is different, hence you have to have some Linux and networking skills in order to get this baby up and running.
And hereís how this approach works: A DNS forwarder like Dnsmasq on your local Linux server will intercept domain names relevant for DNS unblocking. All other queries will be forwarded to the DNS resolver/forwarder of your choice (usually, this will be your router). The intercepted domain names will be resolved to IP addresses which are routed to your Linux server within your LAN. Depending on the resolved IP addresses and ports, iptables DNAT rules will forward the request to a HAProxy proxy on your remote server. Each domain name can have its own internal IP adress and thus its own listening port on your remote serverís HAProxy. And since every domain name can have itís own HAProxy TCP proxy on your remote server, thereís no need for SNI!
For example: a DNS query to www.some-geofenced-service.com will not be resolved to its actual IP address 22.214.171.124, it will be resolved to 192.168.178.201 thanks to the internal DNS forwarder. The device asking for www.some-geofenced-service.comís IP address will try to establish a HTTPS connection to 192.168.178.201:443 which is routed to a Linux server within your LAN. A DNAT rule will transparently forward all packets sent to 192.168.178.201:443 to 123.123.123:27201 which is the remote server running HAProxy. The HAProxy proxy listening on port 126.96.36.199:27201 will then forward all layer 4 traffic to www.some-geofenced-service.com:443.
Just enter your local Linux serverís IP address as the DNS address in every device you want to DNS-unblock. You could also set the DNS server address in your router to your local Linux serverís address but make sure not to create an infinite DNS query loop.
Such a DNAT/DNS configuration would be rather complex and prone to errors. Thatís why I hacked together a generator which takes a config.json input file and writes three output files:
A complete configuration file for HAProxy. Use it on your remote serverís HAProxy.
All required DNS mappings for your specified range of internal IP addresses. Put this file in /etc/dnssmasq.d (Debian/Ubuntu) on your local Linux server.
The DNAT iptables rules. Make sure to load these rules whenever your local Linux server starts.
A few words about the config.json input file for the generator:
IP address of your remote HAProxy server
Starting IP address for the DNAT rules. Make sure to use static IP addresses in sequential order and route them to your local Linux server using virtual interfaces. Make sure the static IP range doesnít interfere with your routerís DHCP settings or weird things will happen.
Starting port for the HAProxy proxies.
HAProxy proxy name
true/false, set it to true if you want to use a catchall/sni HAProxy for this destination address. I primarily added this feature in order to save IP addresses within the LAN and to reduce the amount of iptables rules and HAProxy configuration entries. Has to be set to false it your device needs canít handle SNI. When in doubt, set to false.
The generator will provide rules to open the inbound firewall on the remote HAProxy server. Additional rules may be required if youíre firewalling the FORWARD and OUTBOUND chains as well. If something doesnít work as expected, tcpdump is your friend.
Make sure the following IP addresses are available as virtual interfaces on your Ddnsmasq-server:
[Login or Register to remove this advertisement]
192.168.178.51 192.168.178.52 192.168.178.53 192.168.178.54 192.168.178.55 192.168.178.56 192.168.178.57 192.168.178.58 192.168.178.59 192.168.178.60 192.168.178.61 192.168.178.62 192.168.178.63 192.168.178.64 192.168.178.65 192.168.178.66 192.168.178.67 192.168.178.68 192.168.178.69 192.168.178.70 192.168.178.71 192.168.178.72 192.168.178.73 192.168.178.74 192.168.178.75 192.168.178.76 192.168.178.77 192.168.178.78 192.168.178.79 192.168.178.80 192.168.178.81 192.168.178.82 192.168.178.83 192.168.178.84 192.168.178.85 192.168.178.86
/sbin/iptables -A INPUT -p tcp -m state --state NEW 188.8.131.52 --dport 27199 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m state --state NEW -m multiport -d 184.108.40.206 --dports 27200:27270 -j ACCEPT
File generated: haproxy.conf
File generated: dnsmasq-haproxy.conf
File generated: iptables-haproxy.conf
Donít forget to enable packet forwarding on the local Linux server using
net.ipv4.ip_forward = 1
in /etc/sysctl.conf.Mobile_Guru Reviewed by Mobile_Guru on . Netflix DNS-unblocking without SNI for your Xbox 360, PS3, WDTV, Samsung TV You will need some sort of Linux server at home to do this. Iím using a Raspberry Pi Linux mini computer which is up 24/7 on my LAN. And of course you will need a remote Linux server with an IP address registered in the U.S. You can get a low-end virtual private server for as low as $5/year. Unfortunately, itís almost impossible to come up with a step-by-step tutorial because every LAN setup is different, hence you have to have some Linux and networking skills in order to get this baby up and Rating: 5
Users Browsing this Thread
There Are Currently 1 Users Browsing This Thread. (0 Members and 1 Guests)
By mega_bot in forum Android OS ApplicationsReplies: 0Last Post: 22nd May 2012, 12:04 PM
By mega_bot in forum Android OS ApplicationsReplies: 0Last Post: 12th April 2012, 12:13 AM
By sirius in forum Android OS ApplicationsReplies: 0Last Post: 9th November 2011, 12:52 PM
By sirius in forum Android OS ApplicationsReplies: 0Last Post: 22nd October 2011, 10:40 AM
By sirius in forum Android OS ApplicationsReplies: 0Last Post: 20th October 2011, 12:02 PM