Selective Routing with Asuswrt-Merlin

[Xentrk]

What should I still have for the Policy Rules? Should I have 0.0.0.0 set for the Appltv ip? Or should the policy rules fields be blank?

Either way it isn't working properly. With 0.0.0.0 everything goes through VPN as youd expect, as if the script doesn't exist, and if Policy rules are blank, nothing goes through the VPN, as if script doesn't exist.

The way this script works, any IP addresses not in OVPNC1 will default to the WAN. There is no need to specify devices in the VPN GUI table using this method. You list them in OVPNC1.

I am not sure why you are getting the error message with iptables. The only thing I can suggest is to create a new copy of the script and delete everything after this line:

ip route flush cache

Then run the script. First, verify the ipset lists got created (e.g. ipset -L LAN_GW). Then, type the iptables command directly on the command line. First time running, you should get the error message for the -D line but not for the -A line.

WAN

iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000

VPN Client 1

iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set OVPNC1 src,dst -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set OVPNC1 src,dst -j MARK --set-mark 0x1000/0x1000

Output should appear like this:

+ iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
+ iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set OVPNC1 src,dst -j MARK --set-mark 0x1000/0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set OVPNC1 src,dst -j MARK --set-mark 0x1000/0x1000

What is your router model and firmware version?

 

[Rappy]

What is your router model and firmware version?

Thanks for bearing with me on this. I'll try out your suggestions later on. My router is AC68U (converted from T-mobile cellspot) with latest stable firmware 380.68_2

 

[Xentrk]

Thanks for bearing with me on this. I'll try out your suggestions later on. My router is AC68U (converted from T-mobile cellspot) with latest stable firmware 380.68_2

Your're welcome. This is one of my favorite networking topics. I'll check in periodically. I want to get this working for you. I am trying to install the iPlayer www on my kodi that runs on a Raspberry Pi and see if I can get it working. But now my pi won't boot up and I may have a bad SD card. Ugh! Luckily I have a backup(s). @#$%^ Computers!

 

[Rappy]

Output should appear like this:

Still got the errors. Here is the output line by line:

/jffs/scripts$ iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
iptables: No chain/target/match by that name.
/jffs/scripts$ iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
iptables: No chain/target/match by that name.
/jffs/scripts$ iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set OVPNC1 src,dst -j MARK --set-mark 0x1000/0x1000
iptables: No chain/target/match by that name.
/jffs/scripts$ iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set OVPNC1 src,dst -j MARK --set-mark 0x1000/0x1000
iptables: No chain/target/match by that name.

Even if I run the D commands repeatedly back to back, it still shows errors.

Edit 1: Oh wait, is this only for tcp vpn configs? I use udp.
Edit 2: I tried the commands with udp inplace of tcp but still errors. Now trying a tcp VPN config...
Edit 3: No luck.

 

[Rappy]

Ok, I got the script to work despite the errors. However it only works on my laptop. The Apple TV still says an emphatic "NO". It seems that the tcp VPN config helped. How do I get this working with a UDP config since they are apparently much faster? and any ideas how to troubleshoot the Apple TV conundrum now that the laptop is working?

 

[kman]

Ok, I got the script to work despite the errors. However it only works on my laptop. The Apple TV still says an emphatic "NO". It seems that the tcp VPN config helped. How do I get this working with a UDP config since they are apparently much faster? and any ideas how to troubleshoot the Apple TV conundrum now that the laptop is working?

Can you report back what you are getting with

iptables -t mangle -nvL PREROUTING --line

I'm trying a similar setup as yourself, and running in to the same
iptables: No chain/target/match by that name.
In my case, I am using the VPN GUI for Policy Routing. My IP Rule has the following:

admin@RT-AC68U:/tmp/home/root# ip rule
0:      from all lookup local
9990:   from all fwmark 0x7000 lookup main
10101:  from 192.168.1.106 lookup ovpnc1
10102:  from 192.168.1.118 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default

However, iptables -t mangle -nvL PREROUTING --line gives me:

admin@RT-AC68U:/tmp/home/root# iptables -t mangle -nvL PREROUTING --line
Chain PREROUTING (policy ACCEPT 359K packets, 133M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     6450 4104K MARK       all  --  tun11  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
2        0     0 MARK       all  --  tun21  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
3    12258  978K MARK       all  --  !ppp0  *       0.0.0.0/0            171.91.33.114         MARK or 0x8000

 

[Rappy]

Can you report back what you are getting with

iptables -t mangle -nvL PREROUTING --line

 iptables -t mangle -nvL PREROUTING --line
Chain PREROUTING (policy ACCEPT 1144K packets, 1219M bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     431K  578M MARK       all  --  tun11  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
2        0     0 MARK       all  --  br0    *       0.0.0.0/0            212.58.246.90        MARK set 0x1000
3       14  1960 MARK       all  --  br0    *       0.0.0.0/0            52.18.183.74         MARK set 0x1000
4        0     0 MARK       all  --  br0    *       0.0.0.0/0            212.58.246.109       MARK set 0x1000
5        0     0 MARK       all  --  br0    *       0.0.0.0/0            212.58.244.215       MARK set 0x1000
6        0     0 MARK       all  --  br0    *       0.0.0.0/0            52.18.216.98         MARK set 0x1000
7        0     0 MARK       all  --  br0    *       0.0.0.0/0            54.229.34.151        MARK set 0x1000
8        0     0 MARK       all  --  br0    *       0.0.0.0/0            34.250.133.37        MARK set 0x1000
9        0     0 MARK       all  --  br0    *       0.0.0.0/0            52.210.71.57         MARK set 0x1000
10       0     0 MARK       all  --  br0    *       0.0.0.0/0            34.252.65.162        MARK set 0x1000
11       0     0 MARK       all  --  br0    *       0.0.0.0/0            212.58.244.67        MARK set 0x1000
12       2   104 MARK       all  --  br0    *       0.0.0.0/0            52.17.209.18         MARK set 0x1000
13       4   208 MARK       all  --  br0    *       0.0.0.0/0            52.209.115.140       MARK set 0x1000
14       8  1560 MARK       all  --  br0    *       0.0.0.0/0            54.229.213.180       MARK set 0x1000
15      48  9377 MARK       all  --  br0    *       0.0.0.0/0            54.72.107.191        MARK set 0x1000
16       0     0 MARK       all  --  br0    *       0.0.0.0/0            54.154.177.105       MARK set 0x1000
17       0     0 MARK       all  --  br0    *       0.0.0.0/0            52.31.59.194         MARK set 0x1000
18       0     0 MARK       all  --  br0    *       0.0.0.0/0            212.58.246.91        MARK set 0x1000
19      17  1650 MARK       all  --  br0    *       0.0.0.0/0            212.58.244.81        MARK set 0x1000
20    6007  349K MARK       all  --  br0    *       0.0.0.0/0            212.58.232.65        MARK set 0x1000
21       0     0 MARK       all  --  br0    *       0.0.0.0/0            104.81.9.36          MARK set 0x1000
22       0     0 MARK       all  --  br0    *       0.0.0.0/0            176.34.132.170       MARK set 0x1000
23       0     0 MARK       all  --  br0    *       0.0.0.0/0            212.58.244.115       MARK set 0x1000
24      17  5688 MARK       all  --  br0    *       0.0.0.0/0            52.49.97.51          MARK set 0x1000
25       0     0 MARK       all  --  br0    *       0.0.0.0/0            52.16.221.145        MARK set 0x1000
26       0     0 MARK       all  --  br0    *       0.0.0.0/0            212.58.244.22        MARK set 0x1000
27       0     0 MARK       all  --  br0    *       0.0.0.0/0            34.248.16.230        MARK set 0x1000
28       0     0 MARK       all  --  br0    *       0.0.0.0/0            212.58.246.203       MARK set 0x1000
29       0     0 MARK       all  --  br0    *       0.0.0.0/0            212.58.246.213       MARK set 0x1000
30      30  7797 MARK       all  --  br0    *       0.0.0.0/0            52.19.105.245        MARK set 0x1000
31      22  6089 MARK       all  --  br0    *       0.0.0.0/0            52.213.158.82        MARK set 0x1000
32       0     0 MARK       all  --  br0    *       0.0.0.0/0            212.58.244.23        MARK set 0x1000
33       0     0 MARK       all  --  br0    *       0.0.0.0/0            52.214.135.167       MARK set 0x1000
34       0     0 MARK       all  --  br0    *       0.0.0.0/0            34.251.12.243        MARK set 0x1000
35       0     0 MARK       all  --  br0    *       0.0.0.0/0            52.50.247.145        MARK set 0x1000
36       0     0 MARK       all  --  br0    *       0.0.0.0/0            52.31.207.163        MARK set 0x1000
37       0     0 MARK       all  --  br0    *       0.0.0.0/0            212.58.244.66        MARK set 0x1000
38       0     0 MARK       all  --  br0    *       0.0.0.0/0            212.58.246.78        MARK set 0x1000
39       2   104 MARK       all  --  br0    *       0.0.0.0/0            34.252.184.215       MARK set 0x1000
40     537 31292 MARK       all  --  br0    *       0.0.0.0/0            212.58.227.225       MARK set 0x1000
41       0     0 MARK       all  --  br0    *       0.0.0.0/0            212.58.246.79        MARK set 0x1000
42       0     0 MARK       all  --  br0    *       0.0.0.0/0            52.50.136.22         MARK set 0x1000
43       9  1072 MARK       all  --  br0    *       0.0.0.0/0            212.58.244.114       MARK set 0x1000
44       0     0 MARK       all  --  br0    *       0.0.0.0/0            212.58.246.212       MARK set 0x1000
45       0     0 MARK       all  --  br0    *       0.0.0.0/0            212.58.246.112       MARK set 0x1000
46       0     0 MARK       all  --  br0    *       0.0.0.0/0            34.249.5.74          MARK set 0x1000
47       0     0 MARK       all  --  br0    *       0.0.0.0/0            52.51.252.38         MARK set 0x1000
48       3   298 MARK       all  --  br0    *       0.0.0.0/0            212.58.244.78        MARK set 0x1000

 

[kman]

@Rappy thanks - how did you get it working? I have the same router with fw, but constantly running into the iptables: No chain/target/match by that name.

Even if I run the D commands repeatedly back to back, it still shows errors.

Edit 1: Oh wait, is this only for tcp vpn configs? I use udp.
Edit 2: I tried the commands with udp inplace of tcp but still errors. Now trying a tcp VPN config...
Edit 3: No luck.

In your VPN GUI, do you have any clients added under the "Rules for routing client traffic through the tunnel (Max Limit : 100)" section? My VPN is configured to use UDP protocol. Is that making a difference?

 

[Rappy]

@Rappy thanks - how did you get it working? I have the same router with fw, but constantly running into the iptables: No chain/target/match by that name.

In your VPN GUI, do you have any clients added under the "Rules for routing client traffic through the tunnel (Max Limit : 100)" section? My VPN is configured to use UDP protocol. Is that making a difference?

Yeah I had to change to a less than ideal TCP protocol for my VPN config.
I also still get those errors, but the script partially works now. It works for laptop, not for streaming box, (where it's really needed).
No. I don't have anything listed in the Policy Rules, just the setting set as Policy rules (strict).

 

[kman]

Yeah I had to change to a less than ideal TCP protocol for my VPN config.
I also still get those errors, but the script partially works now. It works for laptop, not for streaming box, (where it's really needed).
No. I don't have anything listed in the Policy Rules, just the setting set as Policy rules (strict).

I'm still confused, if you received iptables: No chain/target/match by that name. how did it get added to the tables and showing the routing under
iptables -t mangle -nvL PREROUTING --line



Trivial comment but are you sure the correct IPs are entered for streaming box? Makes no sense how it works on laptop and not streaming box.

 

[Rappy]

I'm still confused, if you received iptables: No chain/target/match by that name. how did it get added to the tables and showing the routing under
iptables -t mangle -nvL PREROUTING --line



Trivial comment but are you sure the correct IPs are entered for streaming box? Makes no sense how it works on laptop and not streaming box.

Who knows. I don't really have an understanding of what exactly is contained in the script. I was hoping that other peoples knowledge about it would see me through. But that might not suffice.

Yes, I'm sure the IP is correct. The only thing I can think is that the streaming box app accesses iPlayer through a different set of domains somehow, or perhaps there is some other geolocation check systemwide, that the BBC app is able to check. It works 100% however if I put ALL appletv traffic through the VPN. Mystery.

 

[kman]

Who knows. I don't really have an understanding of what exactly is contained in the script. I was hoping that other peoples knowledge about it would see me through. But that might not suffice.

Yes, I'm sure the IP is correct. The only thing I can think is that the streaming box app accesses iPlayer through a different set of domains somehow, or perhaps there is some other geolocation check systemwide, that the BBC app is able to check. It works 100% however if I put ALL appletv traffic through the VPN. Mystery.

Did you try the suggestion from @Xentrk here: #567? You need to monitor the DNSMasq to see what domains are being accessed. If you can remove all other devices from your network so it's easier to identify the Apple TV traffic.

Hope this makes sense.

See post

Enable dnsmasq logging using a /jffs/configs/dnsmasq.conf.add file:

Code:
log-queries
log-facility=/tmp/dnsmasq.log

Then:

Code:
service restart_dnsmasq
tail /tmp/dnsmasq.log -f

Try issuing a query.

 

[Rappy]

Yeah I tried that, although I ended up replacing the list of domains I found with a more exhaustive list that Xentrk found. I think the problem however is that it was only catching domains with relation to iPlayer. I will try without the filter later on.

 

[kman]

I wonder if we can capture DNS with regular expressions or wildcards. I have a feeling the DNS being queried changes dynamically, e.g. cd-megavolt.90fe2324ce3eb149.xhst.bbci.co.uk may change to cd-megavolt.90fe2324ce3eb124.xhst.bbci.co.uk. If we can specify the DNS as *.bbci.co.uk. That will capture and route everything through the specified tunnels. I don't know just a thought.

 

[Rappy]

I wonder if we can capture DNS with regular expressions or wildcards. I have a feeling the DNS being queried changes dynamically, e.g. cd-megavolt.90fe2324ce3eb149.xhst.bbci.co.uk may change to cd-megavolt.90fe2324ce3eb124.xhst.bbci.co.uk. If we can specify the DNS as *.bbci.co.uk. That will capture and route everything through the specified tunnels. I don't know just a thought.

Let me know if you figure it out.

 

[Xentrk]

Yeah I tried that, although I ended up replacing the list of domains I found with a more exhaustive list that Xentrk found. I think the problem however is that it was only catching domains with relation to iPlayer. I will try without the filter later on.

I am sure that is the situation. I can't help you with this one. You need to follow the dnsmasq log file (tail -f dnsmasq.log > temp) while watching iplayer on your apple tv to capture the domain names. If I have time in the next day or two, I will try to create an account with the apple store in UK so I can install the iplayer app on my ipad and then try to mine domain names that way.

See this post. It may help
https://www.snbforums.com/threads/bbc-iplayer-vpn-policy-based-routing.29403/#post-227499


You can use this script to get a clean consolidate list. It will query records for the word "query" and for the IP address of the device you are watching iplayer from. It will then strip out all text but the domain name and sort to eliminate duplicates. Edits will be required for the directory location of the output file. Run the script and provide the name of the output file. e.g. ./getdomainnames.sh output

#!/bin/sh
#set -xo
# This script will format the output of tail -f dnsmasq.log > logfile
# where logfile is the output of tail -f dnsmasq.log
#  1. extract records whose contents contain the word "query"
#  2. output only the domain name
#  3. sort file for unique contents to elimnate duplicates
#  4. save to $1_output
#
# Parameters Passed
# $1 = provide the name of the source file when running the script
#     e.g. ./getdomainnames.sh logfile
#
source_file=/tmp/mnt/absolution/adblocking/logs/$1
output_file=$source_file"_output"
cat $source_file | grep query | grep 192.168.22.152 | awk '{ print $6 }' | sort -u > $output_file
#cat $source_file | grep cached | awk '{ print $6 }' | sort -u > $output_file

I tested this updated list and it is allowing me to tunnel thru okay and watch the web version .

Spoiler: updated domain names

a1089.d.akamai.net
a1104.w10.akamai.net
a2.w10.akamai.net
account-origin-live.bbc.net.uk
account.bbc.com
b1rbsov.bidi.live.bbc.co.uk
bbcdotcom.2cnt.net
bbciplayer.metafaq.com
bn1305.storage.live.com
bootstrapcdn.jdorfman.netdna-cdn.com
cd-megavolt.90fe2324ce3eb149.xhst.bbci.co.uk
cdn.content.prod.cms.msn.com
cdn.optimizely.com
client-s.gateway.messenger.live.com
client.wns.windows.com
component.iplayer.api.bbc.co.uk
e3891.dscf.akamaiedge.net
e3891.f.akamaiedge.net
e8218.dscb1.akamaiedge.net
emp.bbc.co.uk
emp.bbci.co.uk
fig.bbc.co.uk
fig.bbc.net.uk
gn.symcd.com
ibl.api.bbc.co.uk
ichef.bbc.co.uk
ichef.bbci.co.uk
iplayer-web.files.bbci.co.uk
iplayerhelp.external.bbc.co.uk
ipv4only.arpa
live-ibl-componen-3y285w56k7w5-887784694.eu-west-1.elb.amazonaws.com
live-matc-componen-14ucw7bt4o3x5-61844696.eu-west-1.elb.amazonaws.com
live-noti-componen-9nj5c6fwh1nl-1633728249.eu-west-1.elb.amazonaws.com
live-tvip-componen-poadok30hype-1266449070.eu-west-1.elb.amazonaws.com
login.live.com
maxcdn.bootstrapcdn.com
mm.bidi.bbc.co.uk
mobile.pipe.aria.microsoft.com
music.files.bbci.co.uk
mvt.api.bbc.com
mybbc-analytics.files.bbci.co.uk
mybbc.files.bbci.co.uk
nav.files.bbci.co.uk
navpromo.90fe2324ce3eb149.xhst.bbci.co.uk
navpromo.api.bbci.co.uk
ocsp.comodoca.com
ocsp.usertrust.com
open-live.bbc.net.uk
open.live.bbc.co.uk
polling.bbc.co.uk
preferences.notifications.api.bbc.co.uk
r.bbci.co.uk
s.w.org
sa-live.com
sa.bbc.co.uk
search.bbc.co.uk
search.bbc.net.uk
search.files.bbci.co.uk
session-origin-live.bbc.net.uk
session.bbc.co.uk
session.bbc.com
ssl.bbc.co.uk
ssl.bbc.net.uk
static.bbc.co.uk
static.bbci.co.uk
stats.bbc.co.uk
uf2f.com
vod-dash-uk-live.akamaized.net
vod-dash-uk-live.bbcfmt.hs.llnwd.net
vod-thumb-uk-live.akamaized.net
vod-thumb-uk-live.bbcfmt.hs.llnwd.net
www-bbc-com.bbc.net.uk
www.bbc.co.uk
www.bbc.com
www.bbc.net.uk

 

[Rappy]

You can use this script to get a clean consolidate list. It will query records for the word "query" and for the IP address of the device you are watching iplayer from. It will then strip out all text but the domain name and sort to eliminate duplicates. Edits will be required for the directory location of the output file. Run the script and provide the name of the output file. e.g. ./getdomainnames.sh output

I'm sorry, you lost me at the beginning. What do I do to tail dnsmasq etc? Do I still set it to ipset=bbc.co.uk/www.bbc.co.uk/IPLAYER? Or shouldn't it be a more broad catchall now? In any case it is saying no such file as dnsmasq again, even though I still have DNS filtering activated. Also, I cannot get that getdomainnames script to run. It keeps getting stopped at Line 1. I created a directory in tmp/mnt called logs, and I changed line one to
source_file=/tmp/mnt/logs/$1
but it doesn't get past the error.

 

[Rappy]

Also, how does the final script change when dealing with domains instead of a list of IPs?

 

[Xentrk]

I'm sorry, you lost me at the beginning. What do I do to tail dnsmasq etc? Do I still set it to ipset=bbc.co.uk/www.bbc.co.uk/IPLAYER? Or shouldn't it be a more broad catchall now? In any case it is saying no such file as dnsmasq again, even though I still have DNS filtering activated. Also, I cannot get that getdomainnames script to run. It keeps getting stopped at Line 1. I created a directory in tmp/mnt called logs, and I changed line one to
source_file=/tmp/mnt/logs/$1
but it doesn't get past the error.

My preference at this point is to use domain names. Why? With domain names, there is usually something in the name that tells you it has something to do with the subject matter or not. For example, when I mined the updated list I provided last night, I saw domains for dropbox and trendmicro. Those are easy to spot and are candidates for removal.

Important to try to get your network as quiet as possible. Despite this, you will probably see some noise like I did with dropbox contacting home base and trendmicro doing it's thing.

You first need to check that you enabled dnsmasq logging. Did you specify a dnsmasq.log file location in /jffs/configs/dnsmasq.conf.add? e.g. log-facility=/jffs/logs/dnsmasq.log

The code in the script would look similar to this:

# Route AppleTV iPlayer Domain Names to VPN Client 1
for DNS in $(awk '{ print $1 }' /jffs/scripts/bbciplayerdns)
    do
      iptables -t mangle -D PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x1000
      iptables -t mangle -A PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x1000
    done

Get the logging to work first. Then, we can edit the script that extracts the domain names to update the location of the log file.

I mentioned earlier that I installed a private channel on Roku for iPlayer. When I select it, the logo appears then it returns to the channel listing screen. I mined what I could and got these results:

Spoiler: domain names

api-global.netflix.com
api.sr.roku.com
appboot.netflix.com
nrdp.nccp.netflix.com
pubads.g.doubleclick.net
secure.netflix.com

I was shocked to see what all of the netflix references! Not sure what that is all about. I know the iplayer channel is not supported in North America so I don't think I will have any luck.

Perhaps one of the UK members can mine the domain names for you.

 

[Xentrk]

Here is an even more updated list that is working for web iplayer traffic.

Spoiler: domain names

a1089.d.akamai.net
a1104.w10.akamai.net
a2.w10.akamai.net
account-origin-live.bbc.net.uk
account.bbc.com
b1rbsov.bidi.live.bbc.co.uk
bbcdotcom.2cnt.net
bbciplayer.metafaq.com
bn1305.storage.live.com
bootstrapcdn.jdorfman.netdna-cdn.com
cd-megavolt.90fe2324ce3eb149.xhst.bbci.co.uk
component.iplayer.api.bbc.co.uk
e3891.dscf.akamaiedge.net
e3891.f.akamaiedge.net
e8218.dscb1.akamaiedge.net
emp.bbc.co.uk
emp.bbci.co.uk
fig.bbc.co.uk
fig.bbc.net.uk
gn.symcd.com
ibl.api.bbc.co.uk
ichef.bbc.co.uk
ichef.bbci.co.uk
iplayer-web.files.bbci.co.uk
iplayerhelp.external.bbc.co.uk
ipv4only.arpa
live-ibl-componen-3y285w56k7w5-887784694.eu-west-1.elb.amazonaws.com
live-matc-componen-14ucw7bt4o3x5-61844696.eu-west-1.elb.amazonaws.com
live-noti-componen-9nj5c6fwh1nl-1633728249.eu-west-1.elb.amazonaws.com
live-tvip-componen-poadok30hype-1266449070.eu-west-1.elb.amazonaws.com
login.live.com
maxcdn.bootstrapcdn.com
mm.bidi.bbc.co.uk
mobile.pipe.aria.microsoft.com
music.files.bbci.co.uk
mvt.api.bbc.com
mybbc-analytics.files.bbci.co.uk
mybbc.files.bbci.co.uk
nav.files.bbci.co.uk
navpromo.90fe2324ce3eb149.xhst.bbci.co.uk
navpromo.api.bbci.co.uk
ocsp.comodoca.com
ocsp.usertrust.com
open-live.bbc.net.uk
open.live.bbc.co.uk
polling.bbc.co.uk
preferences.notifications.api.bbc.co.uk
r.bbci.co.uk
s.w.org
sa-live.com
sa.bbc.co.uk
search.bbc.co.uk
search.bbc.net.uk
search.files.bbci.co.uk
session-origin-live.bbc.net.uk
session.bbc.co.uk
session.bbc.com
ssl.bbc.co.uk
ssl.bbc.net.uk
static.bbc.co.uk
static.bbci.co.uk
stats.bbc.co.uk
uf2f.com
vod-dash-uk-live.akamaized.net
vod-dash-uk-live.bbcfmt.hs.llnwd.net
vod-thumb-uk-live.akamaized.net
vod-thumb-uk-live.bbcfmt.hs.llnwd.net
www-bbc-com.bbc.net.uk
www.bbc.co.uk
www.bbc.com
www.bbc.net.uk

I removed these four domain names from the prior list:

Spoiler: domains not required

cdn.content.prod.cms.msn.com
cdn.optimizely.com
client-s.gateway.messenger.live.com
client.wns.windows.com