Since Tunlr closed down unexpectedly this week, I decided to publish my ideas and findings on the subject of DNS unblocking. I used Tunlr for some time when I decided to develop my own, private DNS unblocking solution last year.
Why VPNs are no good for streaming

DNS unblocking refers to a technique used to circumvent geo-fenced Internet services without the use of a VPN. When weíre using a VPN to access geo-fenced websites, usually all our Internet traffic gets routed through a remote VPN server. With DNS unblocking, only selected traffic gets routed through a remote proxy server, ideally just the minimum traffic required to trick geo-fenced services like Pandora, Netflix or Hulu into ďthinkingĒ our current geolocation is within the United States (or any other country required to pass the geo-fence). One advantage is that DNS unblocking works for all devices that allow custom DNS settings while a VPN only works on a computer or in the router. But the big advantage over a VPN is that DNS unblocking allows the full and intended use of Content Delivery Networks (CDN).

Without going too far into the subject, CDNs usually rely on BGP Anycast or Geocast to find the closest destination server. Hereís a real life example for Anycast: if we ping Googleís DNS server (8.8.8.8), we will usually get a response within, letís say 30ms or less, no matter where we are in the civilised world. This is because Google operates many DNS servers responding to the same 8.8.8.8 IP address, distributed all over the globe. The announced routes for 8.8.8.8 and the path vector protocol BGP make sure weíre getting the one closest (with the shortest AS path) to us. While using a VPN, we will get the Google DNS server closest to the remote VPN server, which can be far away on a different continent. Far away is bad for bandwidth, and bandwidth is important for high quality video streams!

If a CDN is using Geocast, you will get the destination server closest to the DNS server, not the one closest to your real location. If youíre resolving DNS queries through a (far away) DNS server, youíre essential killing the benefits of Geocast. This will wreak havoc on your download rates and increases latency for every DNS request. The latter applies to every scenario which includes a DNS server which is far away, including DNS unblocking. You should always use the DNS server with the lowest latency Ė which in almost every case is your providerís DNS server.

On-demand Internet streaming providers like Netflix rely heavily on CDN technology to transport their video streams to the end user.
And then there is the HTTPS tunnelling problem

There are many ways to tunnel a HTTP connection through a proxy. We could use Nginx for instance, or Squid. Even Apache comes with a HTTP proxy module. However, it gets a bit more difficult once we have to tunnel a HTTPS connection without terminating the SSL certificate in the proxy. As of today, none of the previously mentioned software products are able to tunnel a HTTPS connection without SSL termination.

Another problem are IP addresses. In the old days, every SSL endpoint required a dedicated IP address. Thanks to Server Name Indication (SNI), a client is able to present the desired domain name to a server during the initial SSL handshake. Unfortunately though, SNI only works in more recent browser versions and just a few standalone multimedia devices, iOS devices being among them. If we want to tunnel non-SNI-capable devices through a HTTPS proxy, we will have to use a dedicated IP address for every SSL tunnel.

Letís go back to the HTTPS tunnelling problem. There are a few solutions available in the open source marketplace but absolutely none of them come even close to HAProxy. HAProxy is the mother of all proxies. Among a myriad of other things, HAProxy is able to tunnel HTTPS connections, SNI-based or not, and it does thisÖ wait for itÖÖ. without SSL termination! It will just passthrough any connection we throw at it. HAProxy is incredibly fast, unbelievably lightweight and very reliable. Itís so stable Iím even using snapshot versions from the development branch in production environments (YMMW, thatís just me).
Letís use HAProxy for DNS unblocking!

Hereís a sample HAProxy configuration which includes support for Pandora, Netflix, Hulu, MTV, ABC and quite a few others. You canít use it without modification. Itís best to start with the proxies you need and to throw away the parts you donít need. Iím probably not going to maintain it on a regular basis but feel free to fork it on Github.

[Login or Register to remove this advertisement]

Code: 
# Check the HAProxy documentation for information about the configuration keywords.
# Make sure to use (compile) the latest HAProxy version from the current development branch or some features may not work!
# Please see http://trick77.com/2014/03/01/tunlr-style-dns-unblocking-pandora-netflix-hulu-et-al/ for more information.
# *** THIS CONFIGURATION WILL NOT RUN WITHOUT PROPER MODIFICATION ***
 
global
  daemon
  maxconn 20000
  user haproxy
  group haproxy
  stats socket /var/run/haproxy.sock mode 0600 level admin
  log /dev/log  local0 debug
  pidfile /var/run/haproxy.pid
  spread-checks 5
 
defaults
  maxconn 19500
  log global
  mode http
  option httplog
  option abortonclose
  option http-server-close
  option persist
  option accept-invalid-http-response
 
  timeout connect 20s
  timeout server 120s
  timeout client 120s
  timeout check 10s
  retries 3
 
listen stats    # Website with useful statistics about our HAProxy frontends and backends
  bind *:6969
  mode http
  stats enable
  stats realm HAProxy
  stats uri /
  stats auth haproxy:secure_password_goes_here
 
# SNI catchall ------------------------------------------------------------------------
# We're trying to save as many IP addresses as possible that's why we're running as many backends as possible on one IP address.
# Obviously, we're using SNI on the 443 frontend only
 
frontend f_sni_catchall
  mode http
  bind ip_address_1_here:80
  log global
  option httplog
  option accept-invalid-http-request
 
  capture request  header Host len 50
  capture request  header User-Agent len 150
 
  #--- abc
  use_backend b_sni_catchall     if { hdr(host) -i abc.go.com }
  use_backend b_sni_catchall     if { hdr(host) -i api.watchdisneyxd.go.com }
  use_backend b_sni_catchall     if { hdr(host) -i api.watchabc.go.com }
 
  #--- mylifetime
  use_backend b_sni_catchall     if { hdr(host) -i c.brightcove.com }
 
  #--- cbs
  use_backend b_sni_catchall     if { hdr(host) -i release.theplatform.com }
 
  #--- crackle
  use_backend b_sni_catchall     if { hdr(host) -i www.crackle.com }
  use_backend b_sni_catchall     if { hdr(host) -i api.crackle.com }
  use_backend b_sni_catchall     if { hdr(host) -i ios-api.crackle.com }
  use_backend b_sni_catchall     if { hdr(host) -i ios-api-us.crackle.com }
  use_backend b_sni_catchall     if { hdr(host) -i appletv.crackle.com }
  use_backend b_sni_catchall     if { hdr(host) -i android-api-us.crackle.com }
  use_backend b_sni_catchall     if { hdr(host) -i xboxone-api-us.crackle.com }
  use_backend b_sni_catchall     if { hdr(host) -i ps3-api-us.crackle.com }
  use_backend b_sni_catchall     if { hdr(host) -i roku-api.crackle.com }
  use_backend b_sni_catchall     if { hdr(host) -i content.uplynk.com }
  use_backend b_sni_catchall     if { hdr(host) -i content-us-east-1.uplynk.com }
 
  #--- crunchyroll
  use_backend b_sni_catchall     if { hdr(host) -i www.crunchyroll.com }
  use_backend b_sni_catchall     if { hdr(host) -i api.crunchyroll.com }
 
  #--- discovery
  use_backend b_sni_catchall     if { hdr(host) -i static.discoverymedia.com }
 
  #--- dramafever
  use_backend b_sni_catchall     if { hdr(host) -i www.dramafever.com }
  use_backend b_sni_catchall     if { hdr(host) -i token.dramafever.com }
 
  #--- fox
  use_backend b_sni_catchall     if { hdr(host) -i link.theplatform.com }
 
  #--- hulu
  use_backend b_sni_catchall     if { hdr(host) -i s.hulu.com }
 
  #--- iheart
  use_backend b_sni_catchall     if { hdr(host) -i www.iheart.com }
 
  #--- last.fm
  use_backend b_sni_catchall     if { hdr(host) -i www.last.fm }
  use_backend b_sni_catchall     if { hdr(host) -i ws.audioscrobbler.com }
  use_backend b_sni_catchall     if { hdr(host) -i ext.last.fm }
 
  #--- logotv
  use_backend b_sni_catchall     if { hdr(host) -i www.logotv.com }
  use_backend b_sni_catchall     if { hdr(host) -i activity.flux.com }
 
  #--- netflix
  use_backend b_sni_catchall     if { hdr(host) -i www.netflix.com }
  use_backend b_sni_catchall     if { hdr(host) -i appboot.netflix.com }
  use_backend b_sni_catchall     if { hdr(host) -i cbp-us.nccp.netflix.com }
  use_backend b_sni_catchall     if { hdr(host) -i a248.e.akamai.net }
  ...
Please see the full configuration source on Github.
And whereís the DNS part in DNS unblocking?

Iím using Dnsmasq on my Rasperry Pi to ďinterceptĒ the domain names from my HAProxy configuration and forward all other DNS queries to my ISPís DNS server. You could use BIND as a local caching DNS server as well but you would end up writing many DNS zone files. Dnsmasq is a lot easier to setup. I will publish a sample Dnsmasq configuration for DNS unblocking in a future post.
EDIT: Here it is.
So you want to start a DNS unblocking company?

Good luck, youíre a bit late to the party. You will need DNS servers, lots of IP addresses, redundancy for everything, a way to deal with Akamaiís geo-protected transport streams (=lots of bandwidth!), a frontend for clients (WHMCS comes to mind) and many other things. Please do me and the Internet a favour and make sure your open DNS servers are rate-limited. All professionally operated, open (recursive) DNS server do have some sort of rate-limitation to make them less interesting (and harmful) in DNS amplification DDoS attacks. Hackers, or rather, script kiddies, permanentely scan the Internet for open, recursive DNS servers and they will find your DNS server within hours.
Mobile_Guru Reviewed by Mobile_Guru on . Tunlr-style DNS unblocking for Pandora, Netflix, Hulu et al Since Tunlr closed down unexpectedly this week, I decided to publish my ideas and findings on the subject of DNS unblocking. I used Tunlr for some time when I decided to develop my own, private DNS unblocking solution last year. Why VPNs are no good for streaming DNS unblocking refers to a technique used to circumvent geo-fenced Internet services without the use of a VPN. When weíre using a VPN to access geo-fenced websites, usually all our Internet traffic gets routed through a remote VPN Rating: 5