x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware (1-Nov-2020)

[Xentrk]

"ipset destroy TEMP" issued the "ipset v7.6: Set cannot be destroyed: it is in use by a kernel component" message

all the other commands you mentioned responded with correct results

I'll go ahead and make the small change I proposed. Sounds like there was a hiccup of some kind. I'll take a look to see if I need to add some error trapping.

 

[Xentrk]

Hi Xentrk,

first let me thank you as usual for your replies.

I have condensed all my answers in a single post.

Policy Rules (strict) has always been active for me. My first question is how do you analyse dnsmasq.log? I know how to follow it from Diversion (or use the tail command you gave) but is there a way to analyse it retrospectively? I see you use a grep command below, is there some sort of editor I can use? Or is the grep the best way to query dnsmasq.log?

I fully understand what you were doing for HBO and this is the same I was trying for Netflix but, for some reason, it wasn't adding the entries to the IPSET (I guess this was due to the funny looking entries in the dnsmasq config file as, once cleansed, it started working again).



I watched Netflix before and after. I realised the entries were being added when watching it but, for some reason, the counter was stuck at 6 entries, until I did all the cleansing. I will monitor if this happens again. I am very new to Unix scripts etc so it may well be that I was doing something wrong. And I understand why I don't need both the dnsmasq and the ASNUM.

The above is very useful, thanks! I assume I will get the new autoscan once you release it in GitHub.

All the rest (Amazon and Disney+) are working well so I am not planning to change anything there.

Thanks again!

autoscan.sh has been updated and posted to GitHub. Please see the announcement on this post for usage instructions.

Either the ASN and dnsmasq methods I have posted on GitHub for Netflix will work. You don't need both as it is redundant.

The method comes to down several factors. For example, the ASN for Amazon US will work with both Amazon Prime traffic and Disney. For some, it may create an issue. So using the dnsmasq method is just a way to get very specific where as the ASN method may cast too wide of a net. Or, Content Delivery Netwok may prevent ASN method from working.

Here is what I ran into with HBOMAX. When I use the ASN Lookup Tool available in x3mRouting, the HBO site belongs to ASN 14618 and 16509. But I already route all AWS traffic to my private IP yet HBO was flagging an error.

asn hbomax.com

-----------------------------
| ASN lookup for hbomax.com |
-----------------------------

- Resolving "hbomax.com"... 6 IP addresses found:

  52.205.19.251 +PTR ec2-52-205-19-251.compute-1.amazonaws.com
                +ASN 14618 (AMAZON-AES, US)
                +ORG Amazon.com, Inc.
                +NET 52.200.0.0/13 (AT-88-Z)
                +ABU abuse@amazonaws.com
                +GEO Ashburn, Virginia (US)

35.167.130.181 +PTR ec2-35-167-130-181.us-west-2.compute.amazonaws.com
                +ASN 16509 (AMAZON-02, US)
                +ORG Amazon.com, Inc.
                +NET 35.160.0.0/13 (AMAZO-ZPDX9)
                +ABU abuse@amazonaws.com
                +GEO Portland, Oregon (US)

    52.24.41.24 +PTR ec2-52-24-41-24.us-west-2.compute.amazonaws.com
                +ASN 16509 (AMAZON-02, US)
                +ORG Amazon.com, Inc.
                +NET 52.24.0.0/14 (AT-88-Z)
                +ABU abuse@amazonaws.com
                +GEO Portland, Oregon (US)
<snip>

So, that is what lead to the updates to autoscan.sh. I needed to see the FQDN for the reply records to see what was going on. It was then that I saw domains owned by content delivery network. To do the mining, I forced all traffic to use VPN Client 1 (my private IP) and selected all of the options on the HBOMAX website and clicked around on the streaming app. From that exercise, the script told me the top level domain names I needed to use for the dnsmasq method. The reason I also added the FQDN for the reply records is my main router is a pfSense appliance and it has a feature to route by FQDN. It did not work with just the query records. I also had to include the reply records. But I also found it gave me a better idea of what is going on. Now, sometimes we get lucky and find that only one term is need to query dnsmasq to find the records e.g. "hbo". But sometimes, there may be other records the streaming app generates that don't contain the term. In that case, the getdomainnames.sh script or the follow the log file option in diversion can help shed light on other domain names being queried.

 

[CannaLucente]

Hi Xentrk,

thanks for the explanation.
Interestingly for Netflix the ASN wasn't working at all for me, I was only able to see a single movie :-D the 2906 created 146 entries in the IPSET while the dnsmasq has created 800+ as of now.
Just run the update in amtm and got the new autoscan.sh, really helpful to see the new FQDN information.

Cheers.

 

[Xentrk]

Hi Xentrk,

thanks for the explanation.
Interestingly for Netflix the ASN wasn't working at all for me, I was only able to see a single movie :-D the 2906 created 146 entries in the IPSET while the dnsmasq has created 800+ as of now.
Just run the update in amtm and got the new autoscan.sh, really helpful to see the new FQDN information.

Cheers.

You reminded me that I ran into a similar issue a few months back and added the dnsmasq method for netflix to fix the issue and kept the AS2906. But I didn't have to make a similar change on my pfSense appliance. Things do change though and it may require another analysis to see what is going on. Adding amazonaws.com or amazonvideo.aws may be required. I'll take another look at it.

 

[Xentrk]

Following are the Netflix domains I mined using a Fire TV and Web Browser yesterday.

dnsmasq=netflix.com,netflix.net,nflxext.com,nflximg.com,nflxso.net,nflxvideo.net

The netflix.net only appeared if I accessed NF from a browser. As a result, I'll do some more analysis and stream using iOS, Roku and Android Box to make sure I have collected all of the domains.

I'll update the README and summarize the domains for the services I use in a new section so it's not buried in the text and solicit input from others to help us with all of our selective routing needs. Stay tuned.

 

[CannaLucente]

I haven't done testing as detailed as yours but entering the same 6 domains using the dnsmasq method, my IPSET site has currently 1225 entries (vs the 146 I get from asnum 2906). I don't get the netflix unblocker/proxy error any longer... I only access via Fire TV or dedicated app on the TV.

The error on firetv only comes up if you block 8.8.8.8 on the router as otherwise it's hardcoded in the netflix app...

Thanks for the updates! Let me know if there's any testing I can help you with...

 

[Xentrk]

I haven't done testing as detailed as yours but entering the same 6 domains using the dnsmasq method, my IPSET site has currently 1225 entries (vs the 146 I get from asnum 2906). I don't get the netflix unblocker/proxy error any longer... I only access via Fire TV or dedicated app on the TV.

The error on firetv only comes up if you block 8.8.8.8 on the router as otherwise it's hardcoded in the netflix app...

Thanks for the updates! Let me know if there's any testing I can help you with...

Thanks for the confirmation.

The ipset size difference is because the ASN method uses CIDR format (e.g. 23.246.0.0/18) which represents a range of IPv4 addresses whereas the dnsmasq method collect individual IPv4 addresses assigned to the domain (there can be more than one).

I force all LAN clients to use the DNS of the router via the DNSFilter option rather than explicitly blocking 8.8.8.8

 

[MarcoPolo]

I have just discovered and installed (directly version 2) this wonderful tool!
Thank you for creating this and maintaining it

If I can allow myself a feedback:

- After the initial installation the firewall-start file was no longer executable, I had to do a "chmod".

- In the documentation there seems to be some small mistakes:
In the examples given, sometimes "ipset_name=" is missing as in "x3mRouting AMAZON autoscan=amazon" and "x3mRouting WIMIPCOM ip=104.27.198.90,104.27.199.90".

- I had a quota problem with "

https://api.hackertarget.com/aslookup/?q=$ASN

" during my initial tests. I didn't immediately understand why the IPSETs were empty when I used "x3mRouting ipset_name=XXXX asnum=xxxxx,yyyyy,zzzzzz":
"curl -fsL --retry 3 --connect-timeout 3 "https://api.hackertarget.com/aslookup/?q=xxxx" --> "API count exceeded - Increase Quota with Membership"
How to modify the code of x3mRouting.sh to be able to use the Hackertarget APIs with a membership?

On the same subject, I read in the documentation "The IPv4 addresses are downloaded from ipinfo.io. ipinfo.io may require whitelisting if you use an ad-blocker program. If x3mRouting is unable to download the IP addresses from ipinfo.io, it will attempt to download using the aslookup tool on api.hackertarget.com/aslookup/" but I can't find any reference in the code to ipinfo.io: i have the feeling that the unique and default method is with the Hackertarget APIs (which has quotas, so).
Did I miss something?

Thank you

 

[Xentrk]

I have just discovered and installed (directly version 2) this wonderful tool!
Thank you for creating this and maintaining it

If I can allow myself a feedback:

- After the initial installation the firewall-start file was no longer executable, I had to do a "chmod".

- In the documentation there seems to be some small mistakes:
In the examples given, sometimes "ipset_name=" is missing as in "x3mRouting AMAZON autoscan=amazon" and "x3mRouting WIMIPCOM ip=104.27.198.90,104.27.199.90".

- I had a quota problem with "

https://api.hackertarget.com/aslookup/?q=$ASN

" during my initial tests. I didn't immediately understand why the IPSETs were empty when I used "x3mRouting ipset_name=XXXX asnum=xxxxx,yyyyy,zzzzzz":
"curl -fsL --retry 3 --connect-timeout 3 "https://api.hackertarget.com/aslookup/?q=xxxx" --> "API count exceeded - Increase Quota with Membership"
How to modify the code of x3mRouting.sh to be able to use the Hackertarget APIs with a membership?

On the same subject, I read in the documentation "The IPv4 addresses are downloaded from ipinfo.io. ipinfo.io may require whitelisting if you use an ad-blocker program. If x3mRouting is unable to download the IP addresses from ipinfo.io, it will attempt to download using the aslookup tool on api.hackertarget.com/aslookup/" but I can't find any reference in the code to ipinfo.io: i have the feeling that the unique and default method is with the Hackertarget APIs (which has quotas, so).
Did I miss something?

Thank you

Thanks for the comments on the documentation. I updated the README. ipinfo.io is no longer used so I removed the reference. ipinfo.io was limiting my downloads during the development when I was hitting it hard. So I switched to hackerytarget.com. I don't trap the error you describe but will have to do so now based on your feedback or look at other options. If you are using ASN method to get IPv4 addresses belonging to Amazon, you can change to the aws_region method instead as the source is a json file hosted by AWS. I'll research the amount of downloads allowed. x3mRouting does change permission on firewall-start if x3mRouting creates it. But not if the file already exists when x3mRouting inserts a line of code. I'll do some analysis on it. Thank you.

 

[Sean Rhodes]

Thanks Xentrk

Hi Xentrk, are there significant differences between 2.0.0 and 2.4.4? The reason I ask is because I'm stuck at 2.0.0 due to no more support for the RT-AC3200 which I'm using.

I'm running the ipset BBC_WEB4 and lately its been dropping the BBC connections, plus a couple of times it detected I was outside the UK. I was thinking of running another dns autoscan to see if there are any server updates, so I thought I would ask you first in case there are any mods improvements you could suggest based on my x3mRouting version I'm stuck at due to the firmware upgrade limitation.

 

[Xentrk]

Hi Xentrk, are there significant differences between 2.0.0 and 2.4.4? The reason I ask is because I'm stuck at 2.0.0 due to no more support for the RT-AC3200 which I'm using.

I'm running the ipset BBC_WEB4 and lately its been dropping the BBC connections, plus a couple of times it detected I was outside the UK. I was thinking of running another dns autoscan to see if there are any server updates, so I thought I would ask you first in case there are any mods improvements you could suggest based on my x3mRouting version I'm stuck at due to the firmware upgrade limitation.

My Private IP in UK stopped working. I've been working with VPN provider support team to fix the past few days. It detects I am outside UK. It worked for one day last week. I don't think it has anything to do with selective routing as I still have the same issue when I route all traffic to the UK tunnel. I have the same issue when using the TG app on FireTV and iPlayer app on iOS. I will keep you updated.

 

[Xentrk]

@Sean Rhodes One test to try is to route all traffic to UK tunnel and see if the BBC app works. Or, route a device to the tunnel. I did that with laptop on FireTV and had the same issue. I also routed my devices to WAN and used the TG app with the same result. If you use TorGuard, please report it to them. So far we are going back and forth. If another person reports the issue, maybe they will realize there is a problem. I don't watch it anymore. So I may cancel it. I would like to keep it so I can help others out.

 

[faria]

My Private IP in UK stopped working. I've been working with VPN provider support team to fix the past few days. It detects I am outside UK. It worked for one day last week. I don't think it has anything to do with selective routing as I still have the same issue when I route all traffic to the UK tunnel. I have the same issue when using the TG app on FireTV and iPlayer app on iOS. I will keep you updated.

Funny you mention that, my TG private ip from Uk, Google reports and gives me results from Portugal, But only Google is reporting incorrect location!
Going to contact Tg to see if they can supply me a new ip.

 

[thebatfink]

Hi. I am very new to the addon and I struggled a little if I am honest due to my lack of knowledge. I am in UK but have my vpn end point in NL, I route all my devices traffic through the vpn client 1. This obviously makes netflix see me as being in NL so I wanted to bypass the vpn and direct to wan just for netflix to get it back to UK. I got the addon installed yesterday (option with custom openvpn page) and added ipset for netflix with this command:

x3mRouting ipset_name=NETFLIX dnsmasq=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

I then added the NETFLIX entry in the custom section of my openvpn 1 client page to bypass the vpn for netflix. It worked! But today I go to netflix and now it wont play saying I am using an unblocker or proxy.. Why is that? Does it mean something is going back through the vpn again?

Edit: by way of an update on my progress to resolve the problem, I did run the getdomainnames.sh tool and saw when accessed netflix (Android TV / Shield app) it also was going to netflix.net and nflximg.com. So I deleted the ipset with

x3mRouting ipset_name=NETFLIX del

and recreated again with the extra two domains on the end.

x3mRouting ipset_name=NETFLIX dnsmasq=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net,netflix.net,nflximg.com

But still same, proxy/unblocker message in the app. I will also add it still is working fine for BBC and Amazon doing the same thing to redirect to the wan.. and as I say initially Netflix worked fine, until following day.

 

[Xentrk]

Hi. I am very new to the addon and I struggled a little if I am honest due to my lack of knowledge. I am in UK but have my vpn end point in NL, I route all my devices traffic through the vpn client 1. This obviously makes netflix see me as being in NL so I wanted to bypass the vpn and direct to wan just for netflix to get it back to UK. I got the addon installed yesterday (option with custom openvpn page) and added ipset for netflix with this command:

x3mRouting ipset_name=NETFLIX dnsmasq=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

I then added the NETFLIX entry in the custom section of my openvpn 1 client page to bypass the vpn for netflix. It worked! But today I go to netflix and now it wont play saying I am using an unblocker or proxy.. Why is that? Does it mean something is going back through the vpn again?

Edit: by way of an update on my progress to resolve the problem, I did run the getdomainnames.sh tool and saw when accessed netflix (Android TV / Shield app) it also was going to netflix.net and nflximg.com. So I deleted the ipset with

x3mRouting ipset_name=NETFLIX del

and recreated again with the extra two domains on the end.

x3mRouting ipset_name=NETFLIX dnsmasq=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net,netflix.net,nflximg.com

But still same, proxy/unblocker message in the app. I will also add it still is working fine for BBC and Amazon doing the same thing to redirect to the wan.. and as I say initially Netflix worked fine, until following day.

Make sure dnsmasq logging is enabled. You can't use Accept DNS Configuration = Exclusive setting on the OpenVPN screen with dnsmasq method as dnsmasq is bypassed with the Exclusive setting. It must be set to Disabled, Strict or Relaxed. I just did some analysis on Netflix domains in this post using the autoscan.sh and getdomainnames.sh script and by looking at /opt/var/log/dnsmasq.log file. When generating the domains, make sure you go to the website and use the streaming application on the device and select all of the menu options and select a movie or two. There may be regional differences. In the next two posts, there are some new ASN for Netflix that one may need to consider using the ASN method.

You can use the follow the log file in Diversion to watch what is being queried. If you don't have Diversion installed, you can use the command 'tail -f /opt/var/log/dnsmasq.log' while accessing NF app or website to see what domains are being referenced in real time. The problem with autoscan.sh script is you need to know what terms to search for. That is why watching the log file in real time helps here. I can take another look on my end later today.

 

[Xentrk]

Just made another pass at NF domains:

IPSET Format
-------------------------------------
netflix.com
netflix.net
nflxext.com
nflximg.com
nflxso.net
nflxvideo.net

Looks like NF resolves to AS16509 now rather than AS2906

- Resolving "netflix.com"... 6 IP addresses found:

                        44.234.232.238 +PTR ec2-44-234-232-238.us-west-2.compute.amazonaws.com
                                       +ASN 16509 (AMAZON-02, US)
                                       +ORG Amazon.com, Inc.
                                       +NET 44.224.0.0/11 (AMAZO-ZPDX)
                                       +ABU abuse@amazonaws.com
                                       +GEO Portland, Oregon (US)

                         44.237.234.25 +PTR ec2-44-237-234-25.us-west-2.compute.amazonaws.com
                                       +ASN 16509 (AMAZON-02, US)
                                       +ORG Amazon.com, Inc.
                                       +NET 44.224.0.0/11 (AMAZO-ZPDX)
                                       +ABU abuse@amazonaws.com
                                       +GEO Portland, Oregon (US)

                          44.242.60.85 +PTR ec2-44-242-60-85.us-west-2.compute.amazonaws.com
                                       +ASN 16509 (AMAZON-02, US)
                                       +ORG Amazon.com, Inc.
                                       +NET 44.224.0.0/11 (AMAZO-ZPDX)
                                       +ABU abuse@amazonaws.com
                                       +GEO Portland, Oregon (US)
<snip>

I am also seeing some query[A] records s to amazonvideo.com right after Netflix domains are queried. However, I am doing this from an Amazon FireTV and it may be background noise. However, you may want to add amazonvideo.com to the list if you still have issues.

Mar 11 07:39:10 dnsmasq[16555]: query[AAAA] cdn-0.nflximg.com from 192.168.22.165
Mar 11 07:39:10 dnsmasq[16555]: cached cdn-0.nflximg.com is <CNAME>
Mar 11 07:39:10 dnsmasq[16555]: cached dscg.netflix.com.edgesuite.net is <CNAME>
Mar 11 07:39:10 dnsmasq[16555]: forwarded cdn-0.nflximg.com to 127.0.1.1
Mar 11 07:39:11 dnsmasq[16555]: validation result is INSECURE
Mar 11 07:39:11 dnsmasq[16555]: reply cdn-0.nflximg.com is <CNAME>
Mar 11 07:39:11 dnsmasq[16555]: reply dscg.netflix.com.edgesuite.net is <CNAME>
Mar 11 07:39:11 dnsmasq[16555]: reply a743.dscg.akamai.net is 2600:1406:3::6011:4442
Mar 11 07:39:11 dnsmasq[16555]: reply a743.dscg.akamai.net is 2600:1406:3::6011:445b
Mar 11 07:39:11 dnsmasq[16555]: query[A] ab2xb7ra6e44.na.api.amazonvideo.com from 192.168.22.165
Mar 11 07:39:11 dnsmasq[16555]: forwarded ab2xb7ra6e44.na.api.amazonvideo.com to 127.0.1.1

 

[thebatfink]

Make sure dnsmasq logging is enabled. You can't use Accept DNS Configuration = Exclusive setting on the OpenVPN screen with dnsmasq method as dnsmasq is bypassed with the Exclusive setting. It must be set to Disabled, Strict or Relaxed. I just did some analysis on Netflix domains in this post using the autoscan.sh and getdomainnames.sh script and by looking at /opt/var/log/dnsmasq.log file. When generating the domains, make sure you go to the website and use the streaming application on the device and select all of the menu options and select a movie or two. There may be regional differences. In the next two posts, there are some new ASN for Netflix that one may need to consider using the ASN method.

You can use the follow the log file in Diversion to watch what is being queried. If you don't have Diversion installed, you can use the command 'tail -f /opt/var/log/dnsmasq.log' while accessing NF app or website to see what domains are being referenced in real time. The problem with autoscan.sh script is you need to know what terms to search for. That is why watching the log file in real time helps here. I can take another look on my end later today.

Hey thank you for getting back. I have diversion installed, I think I read diversion enables dnsmasq logging correct? I see in diversion that it says dnsmasq.log and it is 9.1M.

I do also have that setting in the openvpn client I am bypassing (the only client I’m running) set to relaxed. It is working for Amazon and BBC, I couldnt play anything before on Amazon and nothing live on BBC but that is all good now. I’ll try this diversion log watching, I thought that was what get domains was doing.

edit: So I watched the diversion log. The only things I noticed were some calls to google.com and yahoo.com, but not sure if it was coming from the netflix app (its a device running android tv os so who knows what processes are running in the background). Nothing I haven’t already added to the dnsmasq ipset.

What option are you running In the log viewer? I used 5 (Term or IP) and fed it my devices internal IP hoping it would filter to just what that was calling from that device as I have loads of devices (40+ with all the IoT devices) connected on my network and the log file was flying by with all kinds of stuff. Is that OK or I am losing stuff using 5?

The other thing I noticed trying more files like you said was that many do play OK.. its actually only certain videos which seem to trigger the unblocker / proxy error? I didn’t notice anything out of the ordinary in the log between working and none working files, at least with the follow log option 5.. but the videos that wont play always dont play so there must be something special about those ones you would think? One in particular (GB/UK Netflix) is News of the world with Tom Hanks, unblocker error everytime.

 

[Xentrk]

@Sean Rhodes @thebatfink

Had some extra time to dig into this today now that I have a new IP address.

Updated BBC iPlayer recommendations.

sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 3 BBC asnum=AS2818,AS31459
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 3 BBC_WEB5 dnsmasq=2cnt.net,akamaized.net,bbc.com,cloudfront.net,cloudfunctions.net,co.uk,llnwd.net,llnwi.net,net.uk

 

[Xentrk]

Hey thank you for getting back. I have diversion installed, I think I read diversion enables dnsmasq logging correct? I see in diversion that it says dnsmasq.log and it is 9.1M.

I do also have that setting in the openvpn client I am bypassing (the only client I’m running) set to relaxed. It is working for Amazon and BBC, I couldnt play anything before on Amazon and nothing live on BBC but that is all good now. I’ll try this diversion log watching, I thought that was what get domains was doing.

edit: So I watched the diversion log. The only things I noticed were some calls to google.com and yahoo.com, but not sure if it was coming from the netflix app (its a device running android tv os so who knows what processes are running in the background). Nothing I haven’t already added to the dnsmasq ipset.

What option are you running In the log viewer? I used 5 (Term or IP) and fed it my devices internal IP hoping it would filter to just what that was calling from that device as I have loads of devices (40+ with all the IoT devices) connected on my network and the log file was flying by with all kinds of stuff. Is that OK or I am losing stuff using 5?

The other thing I noticed trying more files like you said was that many do play OK.. its actually only certain videos which seem to trigger the unblocker / proxy error? I didn’t notice anything out of the ordinary in the log between working and none working files, at least with the follow log option 5.. but the videos that wont play always dont play so there must be something special about those ones you would think? One in particular (GB/UK Netflix) is News of the world with Tom Hanks, unblocker error everytime

Yes, watching the log file using diversion can pick up background noise from other apps. It is trial and error but I've been at this long enough that I can usually spot them.

There have been one or two people who have had to combine the ASN method and the dnsmasq method for NF. AS16509 is the ASN for NF when I do the query. But it may also include other amazon and streaming services which may not be what you want. I do route the entire Amazon AWS GLOBAL Region for my use case. Is your rule for Amazon also set to bypass VPN and go to the WAN? If not, then there may be a conflict since NF hosts on Amazon AWS servers.

I just got done doing dnsmasq analysis for BBC iPlayer. It does take some work. Install the utilities in Option 4.

Disable the VPN and route all of your traffic to the WAN or, create a rule in the OpenVPN client screen to have the device bypass the VPN tunnel. Next step is to go to Netflix and all of the menu options and select a few videos and watch for a few minutes. While doing this, you can use option 5 to display the query records in ssh session. Note the top level domains such as netflix.com, netflix.net, etc. Do this in a browser as well as it may query different domains.

Run the script autoscan.sh using the top level domains that were displayed when watched the dnsmasq log file.

sh autoscan.sh scan=flix,nflx

IPSET Format
-------------------------------------
netflix.com
netflix.net
nflxext.com
nflximg.com
nflxso.net
nflxvideo.net

FQDN Format
-------------------------------------
anycast.ftl.netflix.com
api-global.netflix.com
assets.nflxext.com
cdn-0.nflximg.com
codex.nflxext.com
customerevents.netflix.com
dvd.netflix.com
ichnaea.netflix.com
ifqeos6qew4hu4hep57uu-euw1.r.nflxso.net
ifqf6syxevog4rlttkeww-euw1.r.nflxso.net
ipv4-c001-lax009-ix.1.oca.nflxvideo.net
ipv4-c002-lax009-ix.1.oca.nflxvideo.net
ipv4-c048-lax009-ix.1.oca.nflxvideo.net
ipv4-c138-lax001-ix.1.oca.nflxvideo.net
ipv4-c166-lax001-ix.1.oca.nflxvideo.net
ipv4-c201-lax001-ix.1.oca.nflxvideo.net
ipv4-c259-lax001-ix.1.oca.nflxvideo.net
ipv4-c279-lax001-ix.1.oca.nflxvideo.net
ipv4-c290-lax001-ix.ftl.nflxvideo.net
ipv4-c291-lax001-ix.ftl.nflxvideo.net
ixanycast.ftl.netflix.com
netflix.com
nrdp.nccp.netflix.com
nrdp.prod.ftl.netflix.com
nrdp51-appboot.netflix.com
nrdp52-appboot.netflix.com
oca-api.netflix.com
occ-0-33-3997.1.nflxso.net
portal.dvd.netflix.com
preapp.prod.partner.netflix.net
push.prod.netflix.com
secure.netflix.com
uiboot.netflix.com
www.netflix.com


The getdomainnames.sh script picks up some background noise as well. But it does give you a report of what is being queried while you used the streaming app. NF uses regional Content Delivery Networks so look for those as well. But what I posted works for most people.

 

[thebatfink]

I tried, don't see anything which isn't already getting routed I think. I have Amazon EU and Amazon GLOBAL added. As well now as the asnum you mentioned for Netflix and the dnsmasq I had previously. Still some random movies that won't play and trigger the unblocked/proxy error