Selective Routing for Netflix

[Xentrk]

Is it possible, via pfsense, to selectively route applications/services like we've discussed? By that, what I mean is:

• Set up multiple VPN connections / interfaces. E.g. UK/USA/JP/IE etc
• Route, for example, BBC iPlayer traffic over UK VPN, Hulu over USA VPN etc and then everything else not fitting those traffic rules, route it over WAN

Does pfsense domain routing work like dnsmasq? Currently on my RT-AC5300 I have dnsmasq.conf.add and add my own domains there to run over separate Smart DNS IP's. That's all I do. It's a bit hit and miss though and now I find I want to route everything over VPN instead. Hopefully with a fast box it will help me get nice VPN speeds, enough to get 4K streams working properly.

Yes, selective routing you can choose what traffic to route to WAN or to one of several OpenVPN interfaces. Unbound is the DNS resolver in pfSense. Similar to dnsmasq but different too.

I plan to make selective routing on pfSense a topic of a future blog post once the 2.4.4 release is finalized as there are a lot of changes in pfBlockerNG in 2.4.4 when compared to the 2.4.3 release.

 

[frustin]

The sed command (which i cant decipher) does not seem to work for me:

admin1@RT-AC86U:/tmp/mnt/sda2# curl http://ipinfo.io/AS2906 2>/dev/null | grep -
E "a href.*2906\/" | grep -v ":"
                                <a href="/AS2906/108.175.32.0/20" >
                                <a href="/AS2906/185.2.220.0/22" >
                                <a href="/AS2906/185.9.188.0/22" >
                                <a href="/AS2906/192.173.64.0/18" >
                                <a href="/AS2906/192.173.70.0/24" >

However if i run it with the full command:

admin1@RT-AC86U:/tmp/mnt/sda2# curl http://ipinfo.io/AS2906 2>/dev/null | grep -
E "a href.*2906\/" | grep -v ":" | sed 's/^.*\">//; s/<.*//; /^\s*$/d'

The output is blank.

 

[Martineau]

The sed command (which i cant decipher) does not seem to work for me:

admin1@RT-AC86U:/tmp/mnt/sda2# curl http://ipinfo.io/AS2906 2>/dev/null | grep -
E "a href.*2906\/" | grep -v ":"
                                <a href="/AS2906/108.175.32.0/20" >
                                <a href="/AS2906/185.2.220.0/22" >
                                <a href="/AS2906/185.9.188.0/22" >
                                <a href="/AS2906/192.173.64.0/18" >
                                <a href="/AS2906/192.173.70.0/24" >

However if i run it with the full command:

admin1@RT-AC86U:/tmp/mnt/sda2# curl http://ipinfo.io/AS2906 2>/dev/null | grep -
E "a href.*2906\/" | grep -v ":" | sed 's/^.*\">//; s/<.*//; /^\s*$/d'

The output is blank.

Try

curl http://ipinfo.io/AS2906 2>/dev/null | grep -E "a href.*AS2906\/" | grep -v ":" | sed 's/<a href\="\///; s/".*$//; s/^[^\/]*\///g'

 

[frustin]

Try

curl http://ipinfo.io/AS2906 2>/dev/null | grep -E "a href.*AS2906\/" | grep -v ":" | sed 's/<a href\="\///; s/".*$//; s/^[^\/]*\///g'

that works. thank you.

 

[frustin]

Assuming i can get this working for UK netflix, does this script mean that i do not need to set up ipset= in dnsmasq anymore as it'll refresh each time i reboot the router?

Netflix is working on this laptop (no WAN tunnel for this device) but is not working when i try using the app on my Amazon Fire TV device.

If i set a WAN tunnel for the Amazon Fire device, amazon and Netflix both play fine.

Please can someone help me debug this? what do you need? logs etc..

 

[Martineau]

Assuming i can get this working for UK netflix, does this script mean that i do not need to set up ipset= in dnsmasq anymore as it'll refresh each time i reboot the router?

I would suggest the use of the script say every couple of weeks to flush the ipset and possibly remove obsolete entries.

Leaving dnsmasq to also update the ipset in real-time is also recommended - although I suspect there wouldn't be many additions that have yet to be propagated to the 'ipinfo' site.

So once a day using a cron schedule and also when the router is shutdown cleanly (see services-stop), backup the ipset to a USB drive, then to save time, whenever the router is rebooted simply restore the ipset backup.

 

[frustin]

I would suggest the use of the script say every couple of weeks to flush the ipset and possibly remove obsolete entries.

Leaving dnsmasq to also update the ipset in real-time is also recommended - although I suspect there wouldn't be many additions that have yet to be propagated to the 'ipinfo' site.

So once a day using a cron schedule and also when the router is shutdown cleanly (see services-stop), backup the ipset to a USB drive, then to save time, whenever the router is rebooted simply restore the ipset backup.

can i restore ipset in nat-start?

 

[Martineau]

can i restore ipset in nat-start?

Yes, but nat-start may be called twice during the boot process, and also whenever the WAN/firewall is restarted.

So if you have the ipset backup on a USB drive, then post-mount could be used or even init-start to ensure the ipset restore is only requested once during the boot process.

 

[frustin]

Yes, but nat-start may be called twice during the boot process, and also whenever the WAN/firewall is restarted.

So if you have the ipset backup on a USB drive, then post-mount could be used or even init-start to ensure the ipset restore is only requested once during the boot process.

thanks for that.

At the moment, i have the VPN switched on. Netflix (UK) and Amazon work fine on my laptop. However, they do not on my Amazon Fire TV box. Using the policy rules below:
https://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/page-40#post-412836

I use 10.0.0.0 network.

If I set a policy rule for the Amazon Fire to tunnel to WAN it works fine (as it should).

It has to be the Fire TV is going to some addresses that are not on my IPSET list.

I would like to compare the addresses, from the Fire TV, going out, when the device policy is set, with the addresses when selective routing is set. What's the best method for this please?

 

[Xentrk]

thanks for that.

At the moment, i have the VPN switched on. Netflix (UK) and Amazon work fine on my laptop. However, they do not on my Amazon Fire TV box. Using the policy rules below:
https://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/page-40#post-412836

I use 10.0.0.0 network.

If I set a policy rule for the Amazon Fire to tunnel to WAN it works fine (as it should).

It has to be the Fire TV is going to some addresses that are not on my IPSET list.

I would like to compare the addresses, from the Fire TV, going out, when the device policy is set, with the addresses when selective routing is set. What's the best method for this please?

This post will show you how to capture the domain names from dnsmasq.log

https://www.snbforums.com/threads/selective-routing-for-netflix.42661/page-6#post-400556.

You can then read the file containing the domain names you harvested, perform an nslookup on each one to obtain the IPv4 addresses, and load the list to an ipset. Save each ipset list to a separate text file and do a diff to compare the two lists. For example

for domain_name in $(awk '{ print $1 }' /jffs/scripts/BBCdns)
    do
      for ip in $(nslookup $DNS | awk '/^Name:/,0{if (/^Addr/)print $3}'); do
        ipset add IPLAYER $ip
    done
done

 

[frustin]

This post will show you how to capture the domain names from dnsmasq.log

It collects domain names? not the ip addresses?
Also I assume i have to install AB-Solution to collect those domain names?

 

[Martineau]

I assume i have to install AB-Solution to collect those domain names?

Installing AB-Solution is a worthy addition if you require Ad-blocking, but it also enables dnsmasq logging to assist in reporting/debugging etc.

Alternatively you may enable dnsmasq logging by manually adding the following to

/jffs/configs/dnsmasq.conf.add

log-facility=/tmp/mnt/xxxxxxxx/dnsmasq.log
log-async
log-queries

and restarting dnsmasq:

service restart_dnsmasq

It collects domain names? not the ip addresses?

Domains are easily converted to IPs/Subnets!
​

I have just followed @Xentrk's 'harvesting' method by scanning dnsmasq log 'query' entries

Spoiler: Test

DNSMASQ_LOG="/tmp/mnt/xxxxxxxx/dnsmasq.log"
DEVICE=10.88.8.155
for DNSQUERY in $(grep "query" $DNSMASQ_LOG | grep "$DEVICE" | grep "nflx" | awk '{ print $6 }' | sort -u )
    do
        #Say iptables -t mangle -D PREROUTING -i br0 -d $DNSQUERY -j MARK --set-mark 0x7000/0x7000
        #Say iptables -t mangle -A PREROUTING -i br0 -d $DNSQUERY -j MARK --set-mark 0x7000/0x7000
        echo -e $cBCYA"\t\tExtracted '"$DNSQUERY"'"
        for IP in $(nslookup "$DNSQUERY" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v "127.0.0.1")
            do
                echo -en $cBRED
                ipset test NETFLIX $IP
                if [ $? -gt 0 ];then
                    echo -e $cBYEL"\t\tipset add NETFLIX" $IP
                fi
            done
    done

Results:

  Extracted 'ipv4-c001-lhr004-my-isp.1.oca.nflxvideo.net'
78.146.119.219 is NOT in set NETFLIX.
  ipset add NETFLIX 78.146.119.219

  Extracted 'ipv4-c002-lhr004-my-isp.1.oca.nflxvideo.net'
78.146.119.221 is NOT in set NETFLIX.
  ipset add NETFLIX 78.146.119.221

  Extracted 'ipv4-c002-sou001-my-isp.1.oca.nflxvideo.net'
78.146.119.61 is NOT in set NETFLIX.
  ipset add NETFLIX 78.146.119.61

  Extracted 'ipv4-c004-ltn001-my-isp.1.oca.nflxvideo.net'
78.146.119.49 is NOT in set NETFLIX.
  ipset add NETFLIX 78.146.119.49

  Extracted 'occ-0-1688-299.1.nflxso.net'
78.146.119.221 is NOT in set NETFLIX.
  ipset add NETFLIX 78.146.119.221

78.146.119.219 is NOT in set NETFLIX.
  ipset add NETFLIX 78.146.119.219

However, if dnsmasq is tracking (ipset=/nflxso.net/nflxvideo.net/NetflixUSA) , then my dnsmasq log shows that they were added to my ipset NetflixUSA:

Spoiler: dnsmasq ipset auto insert

Jun 25 14:58:16 dnsmasq[1639]: query[A] occ-0-1688-299.1.nflxso.net from 10.88.8.155
Jun 25 14:58:16 dnsmasq[1639]: forwarded occ-0-1688-299.1.nflxso.net to 9.9.9.9
Jun 25 14:58:16 dnsmasq[1639]: reply occ-0-1688-299.1.nflxso.net is 78.146.119.221
Jun 25 14:58:16 dnsmasq[1639]: reply occ-0-1688-299.1.nflxso.net is 78.146.119.219
Jun 25 14:59:05 dnsmasq[1639]: query[A] ipv4-c002-sou001-my-isp.1.oca.nflxvideo.net from 10.88.8.155
Jun 25 14:59:05 dnsmasq[1639]: forwarded ipv4-c002-sou001-my-isp.1.oca.nflxvideo.net to 9.9.9.9

Jun 25 14:59:05 dnsmasq[1639]: ipset add NetflixUSA 78.146.119.61 ipv4-c002-sou001-my-isp.1.oca.nflxvideo.net

Jun 25 14:59:05 dnsmasq[1639]: reply ipv4-c002-sou001-my-isp.1.oca.nflxvideo.net is 78.146.119.61
Jun 25 14:59:05 dnsmasq[1639]: query[A] ipv4-c002-lhr004-my-isp.1.oca.nflxvideo.net from 10.88.8.155
Jun 25 14:59:05 dnsmasq[1639]: forwarded ipv4-c002-lhr004-my-isp.1.oca.nflxvideo.net to 9.9.9.9

Jun 25 14:59:05 dnsmasq[1639]: ipset add NetflixUSA 78.146.119.221 ipv4-c002-lhr004-my-isp.1.oca.nflxvideo.net

Jun 25 14:59:05 dnsmasq[1639]: reply ipv4-c002-lhr004-my-isp.1.oca.nflxvideo.net is 78.146.119.221
Jun 25 15:00:04 dnsmasq[1639]: query[A] occ-0-1688-299.1.nflxso.net from 10.88.8.155
Jun 25 15:00:04 dnsmasq[1639]: forwarded occ-0-1688-299.1.nflxso.net to 9.9.9.9
Jun 25 15:00:05 dnsmasq[1639]: reply occ-0-1688-299.1.nflxso.net is 78.146.119.219
Jun 25 15:00:05 dnsmasq[1639]: reply occ-0-1688-299.1.nflxso.net is 78.146.119.221
Jun 25 15:00:06 dnsmasq[1639]: query[A] ipv4-c004-ltn001-my-isp.1.oca.nflxvideo.net from 10.88.8.155
Jun 25 15:00:06 dnsmasq[1639]: forwarded ipv4-c004-ltn001-my-isp.1.oca.nflxvideo.net to 9.9.9.9

Jun 25 15:00:06 dnsmasq[1639]: ipset add NetflixUSA 78.146.119.49 ipv4-c004-ltn001-my-isp.1.oca.nflxvideo.net

Jun 25 15:00:06 dnsmasq[1639]: reply ipv4-c004-ltn001-my-isp.1.oca.nflxvideo.net is 78.146.119.49
Jun 25 15:00:06 dnsmasq[1639]: query[A] ipv4-c001-lhr004-my-isp.1.oca.nflxvideo.net from 10.88.8.155
Jun 25 15:00:06 dnsmasq[1639]: forwarded ipv4-c001-lhr004-my-isp.1.oca.nflxvideo.net to 9.9.9.9

Jun 25 15:00:06 dnsmasq[1639]: ipset add NetflixUSA 78.146.119.219 ipv4-c001-lhr004-my-isp.1.oca.nflxvideo.net

Jun 25 15:00:06 dnsmasq[1639]: reply ipv4-c001-lhr004-my-isp.1.oca.nflxvideo.net is 78.146.119.219

Whilst useful in determining (in real-time) new Netflix related domains using the harvesting scripts, I'm not sure why @Xentrk would imply that it is necessary to create explicit iptables Netflix PREROUTING rules unless there is evidence that the dnsmasq technique no longer works?

 

[frustin]

Installing AB-Solution is a worthy addition if you require Ad-blocking, but it also enables dnsmasq logging to assist in reporting/debugging etc.

Alternatively you may enable dnsmasq logging by manually adding the following to

/jffs/configs/dnsmasq.conf.add

log-facility=/tmp/mnt/xxxxxxxx/dnsmasq.log
log-async
log-queries

and restarting dnsmasq:

service restart_dnsmasq

Domains are easily converted to IPs/Subnets!
​

I have just followed @Xentrk's 'harvesting' method by scanning dnsmasq log 'query' entries

Spoiler: Test

DNSMASQ_LOG="/tmp/mnt/xxxxxxxx/dnsmasq.log"
DEVICE=10.88.8.155
for DNSQUERY in $(grep "query" $DNSMASQ_LOG | grep "$DEVICE" | grep "nflx" | awk '{ print $6 }' | sort -u )
    do
        #Say iptables -t mangle -D PREROUTING -i br0 -d $DNSQUERY -j MARK --set-mark 0x7000/0x7000
        #Say iptables -t mangle -A PREROUTING -i br0 -d $DNSQUERY -j MARK --set-mark 0x7000/0x7000
        echo -e $cBCYA"\t\tExtracted '"$DNSQUERY"'"
        for IP in $(nslookup "$DNSQUERY" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v "127.0.0.1")
            do
                echo -en $cBRED
                ipset test NETFLIX $IP
                if [ $? -gt 0 ];then
                    echo -e $cBYEL"\t\tipset add NETFLIX" $IP
                fi
            done
    done

Results:

  Extracted 'ipv4-c001-lhr004-my-isp.1.oca.nflxvideo.net'
78.146.119.219 is NOT in set NETFLIX.
  ipset add NETFLIX 78.146.119.219

  Extracted 'ipv4-c002-lhr004-my-isp.1.oca.nflxvideo.net'
78.146.119.221 is NOT in set NETFLIX.
  ipset add NETFLIX 78.146.119.221

  Extracted 'ipv4-c002-sou001-my-isp.1.oca.nflxvideo.net'
78.146.119.61 is NOT in set NETFLIX.
  ipset add NETFLIX 78.146.119.61

  Extracted 'ipv4-c004-ltn001-my-isp.1.oca.nflxvideo.net'
78.146.119.49 is NOT in set NETFLIX.
  ipset add NETFLIX 78.146.119.49

  Extracted 'occ-0-1688-299.1.nflxso.net'
78.146.119.221 is NOT in set NETFLIX.
  ipset add NETFLIX 78.146.119.221

78.146.119.219 is NOT in set NETFLIX.
  ipset add NETFLIX 78.146.119.219

However, if dnsmasq is tracking (ipset=/nflxso.net/nflxvideo.net/NetflixUSA) , then my dnsmasq log shows that they were added to my ipset NetflixUSA:

Spoiler: dnsmasq ipset auto insert

Jun 25 14:58:16 dnsmasq[1639]: query[A] occ-0-1688-299.1.nflxso.net from 10.88.8.155
Jun 25 14:58:16 dnsmasq[1639]: forwarded occ-0-1688-299.1.nflxso.net to 9.9.9.9
Jun 25 14:58:16 dnsmasq[1639]: reply occ-0-1688-299.1.nflxso.net is 78.146.119.221
Jun 25 14:58:16 dnsmasq[1639]: reply occ-0-1688-299.1.nflxso.net is 78.146.119.219
Jun 25 14:59:05 dnsmasq[1639]: query[A] ipv4-c002-sou001-my-isp.1.oca.nflxvideo.net from 10.88.8.155
Jun 25 14:59:05 dnsmasq[1639]: forwarded ipv4-c002-sou001-my-isp.1.oca.nflxvideo.net to 9.9.9.9

Jun 25 14:59:05 dnsmasq[1639]: ipset add NetflixUSA 78.146.119.61 ipv4-c002-sou001-my-isp.1.oca.nflxvideo.net

Jun 25 14:59:05 dnsmasq[1639]: reply ipv4-c002-sou001-my-isp.1.oca.nflxvideo.net is 78.146.119.61
Jun 25 14:59:05 dnsmasq[1639]: query[A] ipv4-c002-lhr004-my-isp.1.oca.nflxvideo.net from 10.88.8.155
Jun 25 14:59:05 dnsmasq[1639]: forwarded ipv4-c002-lhr004-my-isp.1.oca.nflxvideo.net to 9.9.9.9

Jun 25 14:59:05 dnsmasq[1639]: ipset add NetflixUSA 78.146.119.221 ipv4-c002-lhr004-my-isp.1.oca.nflxvideo.net

Jun 25 14:59:05 dnsmasq[1639]: reply ipv4-c002-lhr004-my-isp.1.oca.nflxvideo.net is 78.146.119.221
Jun 25 15:00:04 dnsmasq[1639]: query[A] occ-0-1688-299.1.nflxso.net from 10.88.8.155
Jun 25 15:00:04 dnsmasq[1639]: forwarded occ-0-1688-299.1.nflxso.net to 9.9.9.9
Jun 25 15:00:05 dnsmasq[1639]: reply occ-0-1688-299.1.nflxso.net is 78.146.119.219
Jun 25 15:00:05 dnsmasq[1639]: reply occ-0-1688-299.1.nflxso.net is 78.146.119.221
Jun 25 15:00:06 dnsmasq[1639]: query[A] ipv4-c004-ltn001-my-isp.1.oca.nflxvideo.net from 10.88.8.155
Jun 25 15:00:06 dnsmasq[1639]: forwarded ipv4-c004-ltn001-my-isp.1.oca.nflxvideo.net to 9.9.9.9

Jun 25 15:00:06 dnsmasq[1639]: ipset add NetflixUSA 78.146.119.49 ipv4-c004-ltn001-my-isp.1.oca.nflxvideo.net

Jun 25 15:00:06 dnsmasq[1639]: reply ipv4-c004-ltn001-my-isp.1.oca.nflxvideo.net is 78.146.119.49
Jun 25 15:00:06 dnsmasq[1639]: query[A] ipv4-c001-lhr004-my-isp.1.oca.nflxvideo.net from 10.88.8.155
Jun 25 15:00:06 dnsmasq[1639]: forwarded ipv4-c001-lhr004-my-isp.1.oca.nflxvideo.net to 9.9.9.9

Jun 25 15:00:06 dnsmasq[1639]: ipset add NetflixUSA 78.146.119.219 ipv4-c001-lhr004-my-isp.1.oca.nflxvideo.net

Jun 25 15:00:06 dnsmasq[1639]: reply ipv4-c001-lhr004-my-isp.1.oca.nflxvideo.net is 78.146.119.219

So not sure why @Xentrk would imply that additional scripts are required to create explicit iptables Netflix PREROUTING rules unless there is evidence that the dnsmasq technique no longer works?

Interesting this is what i get. Nothing in there about "netflix":

admin1@RT-AC86U:/tmp/mnt/sda1/adblocking/logs# cat netflix
Jun 25 18:10:28 dnsmasq[1585]: forwarded rgom10-en.url.trendmicro.com to 103.86.99.100
Jun 25 18:10:28 dnsmasq[1585]: forwarded rgom10-en.url.trendmicro.com to 103.86.96.100
Jun 25 18:10:28 dnsmasq[1585]: query[AAAA] rgom10-en.url.trendmicro.com from 127.0.0.1
Jun 25 18:10:28 dnsmasq[1585]: forwarded rgom10-en.url.trendmicro.com to 103.86.99.100
Jun 25 18:10:28 dnsmasq[1585]: reply rgom10-en.url.trendmicro.com is <CNAME>
Jun 25 18:10:28 dnsmasq[1585]: reply trendmicro.com.edgesuite.net is <CNAME>
Jun 25 18:10:28 dnsmasq[1585]: reply rgom10-en.url.trendmicro.com is <CNAME>
Jun 25 18:10:28 dnsmasq[1585]: reply trendmicro.com.edgesuite.net is <CNAME>
Jun 25 18:10:28 dnsmasq[1585]: reply a151.g.akamai.net is 42.99.128.161
Jun 25 18:10:28 dnsmasq[1585]: reply a151.g.akamai.net is 42.99.128.168

That trendmicro check happens each time i do a "check your network" on netflix on the Fire TV.

Am i allowing just a151.g.akamai.net?

 

[Martineau]

Interesting this is what i get. Nothing in there about "netflix":

Am i allowing just a151.g.akamai.net?

Depending on Region/ISP etc., then CDN Akamai apparently does host "Netflix" see post #129

 

[frustin]

Depending on Region/ISP etc., then CDN Akamai apparently does host "Netflix" see post #129

wish i hadnt installed the ad blocker. It's added a load of stuff that's made it more confusing to debug.

removal is reformat jffs?

 

[Martineau]

wish i hadnt installed the ad blocker. It's added a load of stuff that's made it more confusing to debug.

removal is reformat jffs?

No...….use 'rm' from the AB-Solution menu.

 

[frustin]

Installing AB-Solution is a worthy addition if you require Ad-blocking, but it also enables dnsmasq logging to assist in reporting/debugging etc.

Alternatively you may enable dnsmasq logging by manually adding the following to

/jffs/configs/dnsmasq.conf.add

log-facility=/tmp/mnt/xxxxxxxx/dnsmasq.log
log-async
log-queries

and restarting dnsmasq:

service restart_dnsmasq

Domains are easily converted to IPs/Subnets!
​

I have just followed @Xentrk's 'harvesting' method by scanning dnsmasq log 'query' entries

Spoiler: Test

DNSMASQ_LOG="/tmp/mnt/xxxxxxxx/dnsmasq.log"
DEVICE=10.88.8.155
for DNSQUERY in $(grep "query" $DNSMASQ_LOG | grep "$DEVICE" | grep "nflx" | awk '{ print $6 }' | sort -u )
    do
        #Say iptables -t mangle -D PREROUTING -i br0 -d $DNSQUERY -j MARK --set-mark 0x7000/0x7000
        #Say iptables -t mangle -A PREROUTING -i br0 -d $DNSQUERY -j MARK --set-mark 0x7000/0x7000
        echo -e $cBCYA"\t\tExtracted '"$DNSQUERY"'"
        for IP in $(nslookup "$DNSQUERY" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v "127.0.0.1")
            do
                echo -en $cBRED
                ipset test NETFLIX $IP
                if [ $? -gt 0 ];then
                    echo -e $cBYEL"\t\tipset add NETFLIX" $IP
                fi
            done
    done

Results:

  Extracted 'ipv4-c001-lhr004-my-isp.1.oca.nflxvideo.net'
78.146.119.219 is NOT in set NETFLIX.
  ipset add NETFLIX 78.146.119.219

  Extracted 'ipv4-c002-lhr004-my-isp.1.oca.nflxvideo.net'
78.146.119.221 is NOT in set NETFLIX.
  ipset add NETFLIX 78.146.119.221

  Extracted 'ipv4-c002-sou001-my-isp.1.oca.nflxvideo.net'
78.146.119.61 is NOT in set NETFLIX.
  ipset add NETFLIX 78.146.119.61

  Extracted 'ipv4-c004-ltn001-my-isp.1.oca.nflxvideo.net'
78.146.119.49 is NOT in set NETFLIX.
  ipset add NETFLIX 78.146.119.49

  Extracted 'occ-0-1688-299.1.nflxso.net'
78.146.119.221 is NOT in set NETFLIX.
  ipset add NETFLIX 78.146.119.221

78.146.119.219 is NOT in set NETFLIX.
  ipset add NETFLIX 78.146.119.219

However, if dnsmasq is tracking (ipset=/nflxso.net/nflxvideo.net/NetflixUSA) , then my dnsmasq log shows that they were added to my ipset NetflixUSA:

Spoiler: dnsmasq ipset auto insert

Jun 25 14:58:16 dnsmasq[1639]: query[A] occ-0-1688-299.1.nflxso.net from 10.88.8.155
Jun 25 14:58:16 dnsmasq[1639]: forwarded occ-0-1688-299.1.nflxso.net to 9.9.9.9
Jun 25 14:58:16 dnsmasq[1639]: reply occ-0-1688-299.1.nflxso.net is 78.146.119.221
Jun 25 14:58:16 dnsmasq[1639]: reply occ-0-1688-299.1.nflxso.net is 78.146.119.219
Jun 25 14:59:05 dnsmasq[1639]: query[A] ipv4-c002-sou001-my-isp.1.oca.nflxvideo.net from 10.88.8.155
Jun 25 14:59:05 dnsmasq[1639]: forwarded ipv4-c002-sou001-my-isp.1.oca.nflxvideo.net to 9.9.9.9

Jun 25 14:59:05 dnsmasq[1639]: ipset add NetflixUSA 78.146.119.61 ipv4-c002-sou001-my-isp.1.oca.nflxvideo.net

Jun 25 14:59:05 dnsmasq[1639]: reply ipv4-c002-sou001-my-isp.1.oca.nflxvideo.net is 78.146.119.61
Jun 25 14:59:05 dnsmasq[1639]: query[A] ipv4-c002-lhr004-my-isp.1.oca.nflxvideo.net from 10.88.8.155
Jun 25 14:59:05 dnsmasq[1639]: forwarded ipv4-c002-lhr004-my-isp.1.oca.nflxvideo.net to 9.9.9.9

Jun 25 14:59:05 dnsmasq[1639]: ipset add NetflixUSA 78.146.119.221 ipv4-c002-lhr004-my-isp.1.oca.nflxvideo.net

Jun 25 14:59:05 dnsmasq[1639]: reply ipv4-c002-lhr004-my-isp.1.oca.nflxvideo.net is 78.146.119.221
Jun 25 15:00:04 dnsmasq[1639]: query[A] occ-0-1688-299.1.nflxso.net from 10.88.8.155
Jun 25 15:00:04 dnsmasq[1639]: forwarded occ-0-1688-299.1.nflxso.net to 9.9.9.9
Jun 25 15:00:05 dnsmasq[1639]: reply occ-0-1688-299.1.nflxso.net is 78.146.119.219
Jun 25 15:00:05 dnsmasq[1639]: reply occ-0-1688-299.1.nflxso.net is 78.146.119.221
Jun 25 15:00:06 dnsmasq[1639]: query[A] ipv4-c004-ltn001-my-isp.1.oca.nflxvideo.net from 10.88.8.155
Jun 25 15:00:06 dnsmasq[1639]: forwarded ipv4-c004-ltn001-my-isp.1.oca.nflxvideo.net to 9.9.9.9

Jun 25 15:00:06 dnsmasq[1639]: ipset add NetflixUSA 78.146.119.49 ipv4-c004-ltn001-my-isp.1.oca.nflxvideo.net

Jun 25 15:00:06 dnsmasq[1639]: reply ipv4-c004-ltn001-my-isp.1.oca.nflxvideo.net is 78.146.119.49
Jun 25 15:00:06 dnsmasq[1639]: query[A] ipv4-c001-lhr004-my-isp.1.oca.nflxvideo.net from 10.88.8.155
Jun 25 15:00:06 dnsmasq[1639]: forwarded ipv4-c001-lhr004-my-isp.1.oca.nflxvideo.net to 9.9.9.9

Jun 25 15:00:06 dnsmasq[1639]: ipset add NetflixUSA 78.146.119.219 ipv4-c001-lhr004-my-isp.1.oca.nflxvideo.net

Jun 25 15:00:06 dnsmasq[1639]: reply ipv4-c001-lhr004-my-isp.1.oca.nflxvideo.net is 78.146.119.219

Whilst useful in determining (in real-time) new Netflix related domains using the harvesting scripts, I'm not sure why @Xentrk would imply that it is necessary to create explicit iptables Netflix PREROUTING rules unless there is evidence that the dnsmasq technique no longer works?

I've gone back to dnsmasq tracking after removing adblocker (thanks for that by the way).

 

[frustin]

Installing AB-Solution is a worthy addition if you require Ad-blocking, but it also enables dnsmasq logging to assist in reporting/debugging etc.

Alternatively you may enable dnsmasq logging by manually adding the following to

/jffs/configs/dnsmasq.conf.add

log-facility=/tmp/mnt/xxxxxxxx/dnsmasq.log
log-async
log-queries

and restarting dnsmasq:

service restart_dnsmasq

I've added logging to my dnsmasq.conf.add and it's capturing data, however it's spamming the following:

Jun 25 21:56:52 dnsmasq[1698]: query[A] dns.msftncsi.com from 127.0.0.1
Jun 25 21:56:52 dnsmasq[1698]: cached dns.msftncsi.com is 131.107.255.255
Jun 25 21:56:57 dnsmasq[1698]: query[A] dns.msftncsi.com from 127.0.0.1
Jun 25 21:56:57 dnsmasq[1698]: cached dns.msftncsi.com is 131.107.255.255
Jun 25 21:57:02 dnsmasq[1698]: query[A] dns.msftncsi.com from 127.0.0.1
Jun 25 21:57:02 dnsmasq[1698]: forwarded dns.msftncsi.com to 103.86.99.100
Jun 25 21:57:02 dnsmasq[1698]: forwarded dns.msftncsi.com to 103.86.96.100
Jun 25 21:57:02 dnsmasq[1698]: reply dns.msftncsi.com is 131.107.255.255
Jun 25 21:57:07 dnsmasq[1698]: query[A] dns.msftncsi.com from 127.0.0.1
Jun 25 21:57:07 dnsmasq[1698]: cached dns.msftncsi.com is 131.107.255.255
Jun 25 21:57:12 dnsmasq[1698]: query[A] dns.msftncsi.com from 127.0.0.1
Jun 25 21:57:12 dnsmasq[1698]: cached dns.msftncsi.com is 131.107.255.255
Jun 25 21:57:17 dnsmasq[1698]: query[A] dns.msftncsi.com from 127.0.0.1
Jun 25 21:57:17 dnsmasq[1698]: cached dns.msftncsi.com is 131.107.255.255
Jun 25 21:57:22 dnsmasq[1698]: query[A] dns.msftncsi.com from 127.0.0.1
Jun 25 21:57:22 dnsmasq[1698]: cached dns.msftncsi.com is 131.107.255.255
Jun 25 21:57:27 dnsmasq[1698]: query[A] dns.msftncsi.com from 127.0.0.1
Jun 25 21:57:27 dnsmasq[1698]: forwarded dns.msftncsi.com to 103.86.99.100

When i do some button pushing on netflix (on the Fire TV) I dont see anything new in this list. If I run nslookup on netflix.co.uk it shows up. I thought that the list updates when any request happens?

 

[Xentrk]

I've added logging to my dnsmasq.conf.add and it's capturing data, however it's spamming the following:

Jun 25 21:56:52 dnsmasq[1698]: query[A] dns.msftncsi.com from 127.0.0.1
Jun 25 21:56:52 dnsmasq[1698]: cached dns.msftncsi.com is 131.107.255.255
Jun 25 21:56:57 dnsmasq[1698]: query[A] dns.msftncsi.com from 127.0.0.1
Jun 25 21:56:57 dnsmasq[1698]: cached dns.msftncsi.com is 131.107.255.255
Jun 25 21:57:02 dnsmasq[1698]: query[A] dns.msftncsi.com from 127.0.0.1
Jun 25 21:57:02 dnsmasq[1698]: forwarded dns.msftncsi.com to 103.86.99.100
Jun 25 21:57:02 dnsmasq[1698]: forwarded dns.msftncsi.com to 103.86.96.100
Jun 25 21:57:02 dnsmasq[1698]: reply dns.msftncsi.com is 131.107.255.255
Jun 25 21:57:07 dnsmasq[1698]: query[A] dns.msftncsi.com from 127.0.0.1
Jun 25 21:57:07 dnsmasq[1698]: cached dns.msftncsi.com is 131.107.255.255
Jun 25 21:57:12 dnsmasq[1698]: query[A] dns.msftncsi.com from 127.0.0.1
Jun 25 21:57:12 dnsmasq[1698]: cached dns.msftncsi.com is 131.107.255.255
Jun 25 21:57:17 dnsmasq[1698]: query[A] dns.msftncsi.com from 127.0.0.1
Jun 25 21:57:17 dnsmasq[1698]: cached dns.msftncsi.com is 131.107.255.255
Jun 25 21:57:22 dnsmasq[1698]: query[A] dns.msftncsi.com from 127.0.0.1
Jun 25 21:57:22 dnsmasq[1698]: cached dns.msftncsi.com is 131.107.255.255
Jun 25 21:57:27 dnsmasq[1698]: query[A] dns.msftncsi.com from 127.0.0.1
Jun 25 21:57:27 dnsmasq[1698]: forwarded dns.msftncsi.com to 103.86.99.100

When i do some button pushing on netflix (on the Fire TV) I dont see anything new in this list. If I run nslookup on netflix.co.uk it shows up. I thought that the list updates when any request happens?

Those entries are from windows checking for web connecticity.

Do you see log entries from the ip address of the fire tv in dnsmasq.log? Do you assign static ip addresses to your lan clients?

 

[Martineau]

When i do some button pushing on netflix (on the Fire TV) I dont see anything new in this list. If I run nslookup on netflix.co.uk it shows up. I thought that the list updates when any request happens?

If the Fire TV is explicitly using upstream DNS servers then it bypasses dnsmasq on the router.