Paul Derby

Q: Remove AAAA records in DNS queries

My ISP, Verizon FIOS, has yet to support IPv6 addresses.   I need to provide IPv6 interoperability and use a Hurricane Electric IPv6 tunnel solution to support IPv6 until Verizon upgrades their services to include IPv6.  Netflix recently decided to block requests coming through IPv6 tunnels in their effort to keep proxy servers and tunnels from providing US Content to people outside the US.  Unfortunately, Netflix also blocks the small number of legitimate Hurricane Electric customers located in the US that access IPv6 via the HE tunnel.  We have two Apple TVs (4th generation) that now cannot access Netflix content because the Apple TVs prioritize AAAA records over A records for connections to Netflix.

 

Some people get around this by disabling IPv6 on their Airport Extreme or other router, but this kills IPv6 for the entire network.  We provide DNS service from several Mac Minis running OS X Server.  I would like to modify BIND on one of the OS X Servers so that when DNS requests are made to that one server by the Apple TVs, AAAA records are removed and the Apple TVs only get A records.  This approach would isolate the AppleTVs from any IPv6 internet traffic since they would never see AAAA addresses in response to DNS queries provided by one of the Mac Minis.

 

Has someone modified the DNS server on OS X Server so that AAAA records are removed from DNS requests to that server?  If so, can you share what you did?

 

This would help a lot of early IPv6 adopters that lost Netflix content access when Netflix instituted this policy of blocking content delivery to IPv6 addresses tunneled through IPv4, even though the customers using the tunnel are in the US and are entitled to receive the content as part of their license.

 

This issue has been reported to Netflix and they have no interest in solving the problem on their end.  Completely disabling IPv6 in the router negates having access to the IPv6 services for the entire network, which has worked perfectly for years for all services,including Netflix, until Netflix decided to restrict tunneled IPv6 traffic.

 

Any solution to share the way to modify the DNS service in a MacMini to remove AAAA records from DNS requests would be deeply appreciated.  For the record, the router I use is a CISCO 1921 as the IPv6 endpoint.  It works perfectly supporting IPv6 network services to the internet and on the LAN.

Mac mini, OS X Server

Posted on Jun 26, 2016 2:47 PM

Close

Q: Remove AAAA records in DNS queries

  • All replies
  • Helpful answers

  • by John Lockwood,

    John Lockwood John Lockwood Jun 27, 2016 3:05 AM in response to Paul Derby
    Level 6 (9,309 points)
    Servers Enterprise
    Jun 27, 2016 3:05 AM in response to Paul Derby

    IPv4 addresses have officially completely run out and did so some time ago, while this does not mean new users cannot use IPv4 it means new users/customers cannot get new officially allocated IPv4 addresses. As a result of this known issue for years now the Internet i.e. ISPs, hardware makers, and computers makers have all been working towards fulling supporting IPv6 which has an enormously greater number of potential addresses along with other improvements. The point of this is that web services like Netflix have to work towards supporting IPv6 and really should have already completed this. Google as an example has supported IPv6 for a long time.

     

    To show you how critical support for IPv6 is, Apple announced at this years WWDC conference that all new Apps being submitted to their App Store will need to fully support IPv6 or they will be rejected. This would of course also include any new Netflix app.

     

    See http://arstechnica.com/apple/2016/06/ipv6-ecn-qos-and-other-networking-improveme nts-in-ios-10-and-macos-sierra/

     

    So, whether Netflix like it or not they must support IPv6. While their attempt to block VPNs, proxies and their like by blocking IPv6 tunnels is understandable it is clearly a non-workable approach and they need to change their policy immediately.

     

    Personally I regard all geo based DRM such as DVD region protection and geo-ip blocking as the height of stupidity and like all such schemes only harms legitimate customers like you. What these dinosaurs fail to understand is that while there are about 200 countries, and seven continents, there is only one Internet. Note: This is more down to the movie/tv studios than Netflix themselves. This stupidity has led to the creation of an entire industry i.e. VPN providers solely aimed at bypassing geo-ip protection.

  • by Paul Derby,

    Paul Derby Paul Derby Jun 27, 2016 11:08 AM in response to John Lockwood
    Level 1 (133 points)
    Servers Enterprise
    Jun 27, 2016 11:08 AM in response to John Lockwood

    John, Netflix does fully support IPv6.  The issues is they block proxy and tunneled IPv6 connections, accepting only direct connections. 

     

    A huge number of people agree with you that blocking IPv6 tunnels that are used by the early adopters until their ISPs provide IPv6 is a terrible policy and lots of us are complaining.

     

    But until Netflix does change their policy a workaround is needed for those of us that want to access Netflix from our Apple TVs.  The purpose of my posting was to see if someone has a workaround so that the Apple TV can access Netflix through the Netflix app.  It seems the most straightforward way to force the Apple TV to work with Netflix is to put up a DNS server that has embedded code to only return A records for Netflix and leave everything else alone  That way IPv6 works for everything but Netflix.

     

    Hopefully someone has figured out or might figure out the BIND mods to do this   An alternative solution would also be acceptable, but I don't know of one.  And maybe Netflix will quit being jerks and let their customers get the content they pay for via IPv6 tunnels.  If they are worried about non-US customers accessing US only content, then they could set up ACLs on their end blocking customers that pay with non-US based credit cards rather than locking out everyone that uses IPv6 tunnels as they wait for their ISP, Verizon FIOS in my case, to turn up native IPv6.