Re: [SLUG] BIND9 zone question
On 14/08/14 09:44, Chris Barnes wrote: Hi Christopher, So that works perfectly for Netflix because any part of that service that cares about Geolocation is in the Netflix domain. Hulu on the other hand, has services that are outside of the Hulu domain that take issue with my location - a248.e.akamai.net. you might be wondering why i dont just use a VPN? Well I dont want to tunnel all streaming traffic accross it and Netflix doesnt require all connections to be from the U.S. Only when you browse the Netflix catalog and when you chose a show/movie to watch does the service check location, after that the web browser, Apple TV, other media device is redirected to a CDN to stream the content. and that CDN doesnt care where I am from. So I get better throughput by not tunnelling the video stream. Now a hosts file would fix this problem very nicely.but Apple TV doesnt have a hosts that is accessible and thats where I do most my streaming from. Interestingly, I can watch Hulu on my PC with my current setup with zero problems. Its when I try on the Apple TV that it talks to a248.e.akamai.net and throws an error that I'm outside the U.S. I believe dnsmasq lets you change host addresses of single hosts in a large domain with a 1 line entry, not a bind solution, but it's really easy to do with dnsmasq, i have no idea how to do it with bind. dnsmasq has this functionality for things like blocking ads, but you can use it for any purpose # Add domains which you want to force to an IP address here. # The example below send any host in double-click.net to a local # web-server. #address=/double-click.net/127.0.0.1 # --address (and --server) work with IPv6 addresses too. #address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83 # Add the IPs of all queries to yahoo.com, google.com, and their # subdomains to the vpn and search ipsets: #ipset=/yahoo.com/google.com/vpn,search -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] BIND9 zone question
Awesome thanks for the tip with dnsmasq. -- Kind Regards, Christopher Barnes e. chris.p.bar...@gmail.com On 14/08/2014 6:51 PM, Michael Chesterton che...@chesterton.id.au wrote: On 14/08/14 09:44, Chris Barnes wrote: Hi Christopher, So that works perfectly for Netflix because any part of that service that cares about Geolocation is in the Netflix domain. Hulu on the other hand, has services that are outside of the Hulu domain that take issue with my location - a248.e.akamai.net. you might be wondering why i dont just use a VPN? Well I dont want to tunnel all streaming traffic accross it and Netflix doesnt require all connections to be from the U.S. Only when you browse the Netflix catalog and when you chose a show/movie to watch does the service check location, after that the web browser, Apple TV, other media device is redirected to a CDN to stream the content. and that CDN doesnt care where I am from. So I get better throughput by not tunnelling the video stream. Now a hosts file would fix this problem very nicely.but Apple TV doesnt have a hosts that is accessible and thats where I do most my streaming from. Interestingly, I can watch Hulu on my PC with my current setup with zero problems. Its when I try on the Apple TV that it talks to a248.e.akamai.net and throws an error that I'm outside the U.S. I believe dnsmasq lets you change host addresses of single hosts in a large domain with a 1 line entry, not a bind solution, but it's really easy to do with dnsmasq, i have no idea how to do it with bind. dnsmasq has this functionality for things like blocking ads, but you can use it for any purpose # Add domains which you want to force to an IP address here. # The example below send any host in double-click.net to a local # web-server. #address=/double-click.net/127.0.0.1 # --address (and --server) work with IPv6 addresses too. #address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83 # Add the IPs of all queries to yahoo.com, google.com, and their # subdomains to the vpn and search ipsets: #ipset=/yahoo.com/google.com/vpn,search -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] BIND9 zone question
For a individual target hosts, i.e. not a whole domain, if you're the one doing the lookup, you could also use /etc/hosts. On Thu, Aug 14, 2014 at 9:03 PM, Chris Barnes chris.p.bar...@gmail.com wrote: Awesome thanks for the tip with dnsmasq. -- Kind Regards, Christopher Barnes e. chris.p.bar...@gmail.com On 14/08/2014 6:51 PM, Michael Chesterton che...@chesterton.id.au wrote: On 14/08/14 09:44, Chris Barnes wrote: Hi Christopher, So that works perfectly for Netflix because any part of that service that cares about Geolocation is in the Netflix domain. Hulu on the other hand, has services that are outside of the Hulu domain that take issue with my location - a248.e.akamai.net. you might be wondering why i dont just use a VPN? Well I dont want to tunnel all streaming traffic accross it and Netflix doesnt require all connections to be from the U.S. Only when you browse the Netflix catalog and when you chose a show/movie to watch does the service check location, after that the web browser, Apple TV, other media device is redirected to a CDN to stream the content. and that CDN doesnt care where I am from. So I get better throughput by not tunnelling the video stream. Now a hosts file would fix this problem very nicely.but Apple TV doesnt have a hosts that is accessible and thats where I do most my streaming from. Interestingly, I can watch Hulu on my PC with my current setup with zero problems. Its when I try on the Apple TV that it talks to a248.e.akamai.net and throws an error that I'm outside the U.S. I believe dnsmasq lets you change host addresses of single hosts in a large domain with a 1 line entry, not a bind solution, but it's really easy to do with dnsmasq, i have no idea how to do it with bind. dnsmasq has this functionality for things like blocking ads, but you can use it for any purpose # Add domains which you want to force to an IP address here. # The example below send any host in double-click.net to a local # web-server. #address=/double-click.net/127.0.0.1 # --address (and --server) work with IPv6 addresses too. #address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83 # Add the IPs of all queries to yahoo.com, google.com, and their # subdomains to the vpn and search ipsets: #ipset=/yahoo.com/google.com/vpn,search -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- Christopher Vance -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] BIND9 zone question
Yep, except Apple TV, Roku, and other Netflix Hulu enabled devices don't usually have a Hosts file you can change. So DNS or Dnsmasq is really the only option for this scenario. -- Kind Regards, Christopher Barnes e. chris.p.bar...@gmail.com On 14/08/2014 10:34 PM, Christopher Vance cjsva...@gmail.com wrote: For a individual target hosts, i.e. not a whole domain, if you're the one doing the lookup, you could also use /etc/hosts. On Thu, Aug 14, 2014 at 9:03 PM, Chris Barnes chris.p.bar...@gmail.com wrote: Awesome thanks for the tip with dnsmasq. -- Kind Regards, Christopher Barnes e. chris.p.bar...@gmail.com On 14/08/2014 6:51 PM, Michael Chesterton che...@chesterton.id.au wrote: On 14/08/14 09:44, Chris Barnes wrote: Hi Christopher, So that works perfectly for Netflix because any part of that service that cares about Geolocation is in the Netflix domain. Hulu on the other hand, has services that are outside of the Hulu domain that take issue with my location - a248.e.akamai.net. you might be wondering why i dont just use a VPN? Well I dont want to tunnel all streaming traffic accross it and Netflix doesnt require all connections to be from the U.S. Only when you browse the Netflix catalog and when you chose a show/movie to watch does the service check location, after that the web browser, Apple TV, other media device is redirected to a CDN to stream the content. and that CDN doesnt care where I am from. So I get better throughput by not tunnelling the video stream. Now a hosts file would fix this problem very nicely.but Apple TV doesnt have a hosts that is accessible and thats where I do most my streaming from. Interestingly, I can watch Hulu on my PC with my current setup with zero problems. Its when I try on the Apple TV that it talks to a248.e.akamai.net and throws an error that I'm outside the U.S. I believe dnsmasq lets you change host addresses of single hosts in a large domain with a 1 line entry, not a bind solution, but it's really easy to do with dnsmasq, i have no idea how to do it with bind. dnsmasq has this functionality for things like blocking ads, but you can use it for any purpose # Add domains which you want to force to an IP address here. # The example below send any host in double-click.net to a local # web-server. #address=/double-click.net/127.0.0.1 # --address (and --server) work with IPv6 addresses too. #address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83 # Add the IPs of all queries to yahoo.com, google.com, and their # subdomains to the vpn and search ipsets: #ipset=/yahoo.com/google.com/vpn,search -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- Christopher Vance -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] BIND9 zone question
Hey people, Got a bit of a tricky question, well it seems tricky to me. I want to use bind to resolve a single host address for a very large zone I don't own. The background is that I'm trying to circumvent georestrictions on TV streaming site. I've determined that the host on the internet that has an issue with my location is a248.e.akamai.net Now, I don't want to hijack the whole akamai.net domain on my internal DNS because I would be forever adding new DNS records. I tried creating a new master zone named a248.e.akamai.net and setting an A record for the root but it seemed the DNS server was ignoring it and forwarding the request to upstream resolvers, resulting in the real IP being returned...which is not what I want, I want it to return my chosen IP address. Does anyone know of a way I can hijack this one host address while leaving the rest of the domain untouched? -- Kind Regards, Christopher Barnes e. chris.p.bar...@gmail.com -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] BIND9 zone question
From what you've written, it sounds to me as if the issue is where the Akamai host thinks you are. If so, then DNS and bind are totally uninvolved. Geo-location is normally done using IP addresses. You can change your IP address by using a proxy, in which case Akamai will understand you to be where the proxy is. Depending on the level of Akamai's pickiness, you might want configure the proxy not to report who or where it's asking on behalf of. On Thu, Aug 14, 2014 at 8:46 AM, Chris Barnes chris.p.bar...@gmail.com wrote: Hey people, Got a bit of a tricky question, well it seems tricky to me. I want to use bind to resolve a single host address for a very large zone I don't own. The background is that I'm trying to circumvent georestrictions on TV streaming site. I've determined that the host on the internet that has an issue with my location is a248.e.akamai.net Now, I don't want to hijack the whole akamai.net domain on my internal DNS because I would be forever adding new DNS records. I tried creating a new master zone named a248.e.akamai.net and setting an A record for the root but it seemed the DNS server was ignoring it and forwarding the request to upstream resolvers, resulting in the real IP being returned...which is not what I want, I want it to return my chosen IP address. Does anyone know of a way I can hijack this one host address while leaving the rest of the domain untouched? -- Kind Regards, Christopher Barnes e. chris.p.bar...@gmail.com -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- Christopher Vance -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] BIND9 zone question
Hi Christopher, You're right that this Akamai hostdoesnt like my location, and you're right that Bind and DNS *alone* arent going to resolve that. But the bigger part of my fix that I havent revealed is that I change the ip address of hosts to point to loop-back addresses on a server in the US, which then does a TCP redirect to the original host, and this lets me bypass georestrictions quite nicely. For example: My computer requests secure.netflix.com My internal DNS says that host is at 192.168.1.20 My computer opens a TCP connection (port 80 or 443) to 192.168.1.20 The daemon listening on 192.168.1.20 on my server in the U.S then redirects/rewrites the connection to the hoist secure.netflix.com Theres no proxying involved because the requests are often over SSL and so my machine in the middle breaks the SSL security. Its simply a TCP port redirect. So that works perfectly for Netflix because any part of that service that cares about Geolocation is in the Netflix domain. Hulu on the other hand, has services that are outside of the Hulu domain that take issue with my location - a248.e.akamai.net. you might be wondering why i dont just use a VPN? Well I dont want to tunnel all streaming traffic accross it and Netflix doesnt require all connections to be from the U.S. Only when you browse the Netflix catalog and when you chose a show/movie to watch does the service check location, after that the web browser, Apple TV, other media device is redirected to a CDN to stream the content. and that CDN doesnt care where I am from. So I get better throughput by not tunnelling the video stream. Now a hosts file would fix this problem very nicely.but Apple TV doesnt have a hosts that is accessible and thats where I do most my streaming from. Interestingly, I can watch Hulu on my PC with my current setup with zero problems. Its when I try on the Apple TV that it talks to a248.e.akamai.net and throws an error that I'm outside the U.S. On Thu, Aug 14, 2014 at 9:27 AM, Christopher Vance cjsva...@gmail.com wrote: From what you've written, it sounds to me as if the issue is where the Akamai host thinks you are. If so, then DNS and bind are totally uninvolved. Geo-location is normally done using IP addresses. You can change your IP address by using a proxy, in which case Akamai will understand you to be where the proxy is. Depending on the level of Akamai's pickiness, you might want configure the proxy not to report who or where it's asking on behalf of. On Thu, Aug 14, 2014 at 8:46 AM, Chris Barnes chris.p.bar...@gmail.com wrote: Hey people, Got a bit of a tricky question, well it seems tricky to me. I want to use bind to resolve a single host address for a very large zone I don't own. The background is that I'm trying to circumvent georestrictions on TV streaming site. I've determined that the host on the internet that has an issue with my location is a248.e.akamai.net Now, I don't want to hijack the whole akamai.net domain on my internal DNS because I would be forever adding new DNS records. I tried creating a new master zone named a248.e.akamai.net and setting an A record for the root but it seemed the DNS server was ignoring it and forwarding the request to upstream resolvers, resulting in the real IP being returned...which is not what I want, I want it to return my chosen IP address. Does anyone know of a way I can hijack this one host address while leaving the rest of the domain untouched? -- Kind Regards, Christopher Barnes e. chris.p.bar...@gmail.com -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- Christopher Vance -- Kind Regards, Christopher Barnes e. chris.p.bar...@gmail.com -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] BIND9 zone question
So you have your own server in the US. I would suggest Netflix is seeing that server's public IP address in the US as the origin of requests, which means you get Netflix's approval to download. I don't think the proxy vs port forwarding thing makes a difference. The apparent difference between Hulu's CDN (Akamai) and Netflix's CDN (I dunno) is that Akamai also checks your location while Netflix's CDN doesn't. As I said, Akamai will most likely be doing geoip on your IP address, which you can only change if you go through your US server. Again, proxy vs port forwarding shouldn't make a difference, unless Akamai is also checking X-Forwarded-For. DNS fiddles won't change the apparent location of any machine. On Thu, Aug 14, 2014 at 9:44 AM, Chris Barnes chris.p.bar...@gmail.com wrote: Hi Christopher, You're right that this Akamai hostdoesnt like my location, and you're right that Bind and DNS *alone* arent going to resolve that. But the bigger part of my fix that I havent revealed is that I change the ip address of hosts to point to loop-back addresses on a server in the US, which then does a TCP redirect to the original host, and this lets me bypass georestrictions quite nicely. For example: My computer requests secure.netflix.com My internal DNS says that host is at 192.168.1.20 My computer opens a TCP connection (port 80 or 443) to 192.168.1.20 The daemon listening on 192.168.1.20 on my server in the U.S then redirects/rewrites the connection to the hoist secure.netflix.com Theres no proxying involved because the requests are often over SSL and so my machine in the middle breaks the SSL security. Its simply a TCP port redirect. So that works perfectly for Netflix because any part of that service that cares about Geolocation is in the Netflix domain. Hulu on the other hand, has services that are outside of the Hulu domain that take issue with my location - a248.e.akamai.net. you might be wondering why i dont just use a VPN? Well I dont want to tunnel all streaming traffic accross it and Netflix doesnt require all connections to be from the U.S. Only when you browse the Netflix catalog and when you chose a show/movie to watch does the service check location, after that the web browser, Apple TV, other media device is redirected to a CDN to stream the content. and that CDN doesnt care where I am from. So I get better throughput by not tunnelling the video stream. Now a hosts file would fix this problem very nicely.but Apple TV doesnt have a hosts that is accessible and thats where I do most my streaming from. Interestingly, I can watch Hulu on my PC with my current setup with zero problems. Its when I try on the Apple TV that it talks to a248.e.akamai.net and throws an error that I'm outside the U.S. On Thu, Aug 14, 2014 at 9:27 AM, Christopher Vance cjsva...@gmail.com wrote: From what you've written, it sounds to me as if the issue is where the Akamai host thinks you are. If so, then DNS and bind are totally uninvolved. Geo-location is normally done using IP addresses. You can change your IP address by using a proxy, in which case Akamai will understand you to be where the proxy is. Depending on the level of Akamai's pickiness, you might want configure the proxy not to report who or where it's asking on behalf of. On Thu, Aug 14, 2014 at 8:46 AM, Chris Barnes chris.p.bar...@gmail.com wrote: Hey people, Got a bit of a tricky question, well it seems tricky to me. I want to use bind to resolve a single host address for a very large zone I don't own. The background is that I'm trying to circumvent georestrictions on TV streaming site. I've determined that the host on the internet that has an issue with my location is a248.e.akamai.net Now, I don't want to hijack the whole akamai.net domain on my internal DNS because I would be forever adding new DNS records. I tried creating a new master zone named a248.e.akamai.net and setting an A record for the root but it seemed the DNS server was ignoring it and forwarding the request to upstream resolvers, resulting in the real IP being returned...which is not what I want, I want it to return my chosen IP address. Does anyone know of a way I can hijack this one host address while leaving the rest of the domain untouched? -- Kind Regards, Christopher Barnes e. chris.p.bar...@gmail.com -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- Christopher Vance -- Kind Regards, Christopher Barnes e. chris.p.bar...@gmail.com -- Christopher Vance -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] BIND9 zone question
Correct, The Netflix servers are seeing my requests come from my server in the US. Thats the whole point of having the server in the U.S. And it works very well for getting access to Netflix. Netflix and Hulu both use Akamai, although Netflix appears to use other CDNs as well. The difference is that the software Netflix uses to serve up the video stream doesnt check location, it only checks that the viewer holds a valid license to view the stream, whereas Huhu's service seems check my location at every request. Proxy vs port forwarding does make a difference. for proxying to work the proxy would need to inspect the request. But since the request is encrypted the proxy would need to decrypt, inspect, and then re-encrypt, which causes a Man-In-The-Middle. While PCs dont care about this in so far as the user can chose to ignore certificate warnings, other devices like Apple TV, the Netflix app on Android, etc wont let you ignore bad certificates. So proxying wont work. TCP redirect where theres no need to inspect the inner data stream is the only option. The point of fiddling the DNS is that I can redirect requests for various Netflix and Hulu hosts to my own server in the US and have my server in the US redirect the request to the correct Netflix or Hulu host. so for example: www.netflix.com points to 192.168.1.10 secure.netflix.com points to 192.168.1.20 movies.netflix.com points to 192.168.1.21 etc On Thu, Aug 14, 2014 at 10:05 AM, Christopher Vance cjsva...@gmail.com wrote: So you have your own server in the US. I would suggest Netflix is seeing that server's public IP address in the US as the origin of requests, which means you get Netflix's approval to download. I don't think the proxy vs port forwarding thing makes a difference. The apparent difference between Hulu's CDN (Akamai) and Netflix's CDN (I dunno) is that Akamai also checks your location while Netflix's CDN doesn't. As I said, Akamai will most likely be doing geoip on your IP address, which you can only change if you go through your US server. Again, proxy vs port forwarding shouldn't make a difference, unless Akamai is also checking X-Forwarded-For. DNS fiddles won't change the apparent location of any machine. On Thu, Aug 14, 2014 at 9:44 AM, Chris Barnes chris.p.bar...@gmail.com wrote: Hi Christopher, You're right that this Akamai hostdoesnt like my location, and you're right that Bind and DNS *alone* arent going to resolve that. But the bigger part of my fix that I havent revealed is that I change the ip address of hosts to point to loop-back addresses on a server in the US, which then does a TCP redirect to the original host, and this lets me bypass georestrictions quite nicely. For example: My computer requests secure.netflix.com My internal DNS says that host is at 192.168.1.20 My computer opens a TCP connection (port 80 or 443) to 192.168.1.20 The daemon listening on 192.168.1.20 on my server in the U.S then redirects/rewrites the connection to the hoist secure.netflix.com Theres no proxying involved because the requests are often over SSL and so my machine in the middle breaks the SSL security. Its simply a TCP port redirect. So that works perfectly for Netflix because any part of that service that cares about Geolocation is in the Netflix domain. Hulu on the other hand, has services that are outside of the Hulu domain that take issue with my location - a248.e.akamai.net. you might be wondering why i dont just use a VPN? Well I dont want to tunnel all streaming traffic accross it and Netflix doesnt require all connections to be from the U.S. Only when you browse the Netflix catalog and when you chose a show/movie to watch does the service check location, after that the web browser, Apple TV, other media device is redirected to a CDN to stream the content. and that CDN doesnt care where I am from. So I get better throughput by not tunnelling the video stream. Now a hosts file would fix this problem very nicely.but Apple TV doesnt have a hosts that is accessible and thats where I do most my streaming from. Interestingly, I can watch Hulu on my PC with my current setup with zero problems. Its when I try on the Apple TV that it talks to a248.e.akamai.net and throws an error that I'm outside the U.S. On Thu, Aug 14, 2014 at 9:27 AM, Christopher Vance cjsva...@gmail.com wrote: From what you've written, it sounds to me as if the issue is where the Akamai host thinks you are. If so, then DNS and bind are totally uninvolved. Geo-location is normally done using IP addresses. You can change your IP address by using a proxy, in which case Akamai will understand you to be where the proxy is. Depending on the level of Akamai's pickiness, you might want configure the proxy not to report who or where it's asking on behalf of. On Thu, Aug 14, 2014 at 8:46 AM, Chris Barnes chris.p.bar...@gmail.com wrote: Hey people, Got a bit of a tricky question,
Re: [SLUG] BIND9 zone question
Ok turns out the problem was just a typo I had overlooked NUMEROUS times. I had been watching /var/log/bind.log which hadnt reported any problems. It wasnt until I took at look at /var/log/syslog that I saw the problem. localhost named[19832]: zone a248.e.akamai.net/IN: loading from master file /var/lib/bin/a248.e.akamai.net.hosts failed: file not found zone a248.e.akamai.net { type master; file */var/lib/bin/*a248.e.akamai.net.hosts; }; the path should of course be */var/lib/bind* not /var/lib/bin so I can now resolve a248.3.akamai.net to my local server and all other dns requests for the akamai.net domain are sent to the forwarder to resolve. On Thu, Aug 14, 2014 at 10:32 AM, Chris Barnes chris.p.bar...@gmail.com wrote: Correct, The Netflix servers are seeing my requests come from my server in the US. Thats the whole point of having the server in the U.S. And it works very well for getting access to Netflix. Netflix and Hulu both use Akamai, although Netflix appears to use other CDNs as well. The difference is that the software Netflix uses to serve up the video stream doesnt check location, it only checks that the viewer holds a valid license to view the stream, whereas Huhu's service seems check my location at every request. Proxy vs port forwarding does make a difference. for proxying to work the proxy would need to inspect the request. But since the request is encrypted the proxy would need to decrypt, inspect, and then re-encrypt, which causes a Man-In-The-Middle. While PCs dont care about this in so far as the user can chose to ignore certificate warnings, other devices like Apple TV, the Netflix app on Android, etc wont let you ignore bad certificates. So proxying wont work. TCP redirect where theres no need to inspect the inner data stream is the only option. The point of fiddling the DNS is that I can redirect requests for various Netflix and Hulu hosts to my own server in the US and have my server in the US redirect the request to the correct Netflix or Hulu host. so for example: www.netflix.com points to 192.168.1.10 secure.netflix.com points to 192.168.1.20 movies.netflix.com points to 192.168.1.21 etc On Thu, Aug 14, 2014 at 10:05 AM, Christopher Vance cjsva...@gmail.com wrote: So you have your own server in the US. I would suggest Netflix is seeing that server's public IP address in the US as the origin of requests, which means you get Netflix's approval to download. I don't think the proxy vs port forwarding thing makes a difference. The apparent difference between Hulu's CDN (Akamai) and Netflix's CDN (I dunno) is that Akamai also checks your location while Netflix's CDN doesn't. As I said, Akamai will most likely be doing geoip on your IP address, which you can only change if you go through your US server. Again, proxy vs port forwarding shouldn't make a difference, unless Akamai is also checking X-Forwarded-For. DNS fiddles won't change the apparent location of any machine. On Thu, Aug 14, 2014 at 9:44 AM, Chris Barnes chris.p.bar...@gmail.com wrote: Hi Christopher, You're right that this Akamai hostdoesnt like my location, and you're right that Bind and DNS *alone* arent going to resolve that. But the bigger part of my fix that I havent revealed is that I change the ip address of hosts to point to loop-back addresses on a server in the US, which then does a TCP redirect to the original host, and this lets me bypass georestrictions quite nicely. For example: My computer requests secure.netflix.com My internal DNS says that host is at 192.168.1.20 My computer opens a TCP connection (port 80 or 443) to 192.168.1.20 The daemon listening on 192.168.1.20 on my server in the U.S then redirects/rewrites the connection to the hoist secure.netflix.com Theres no proxying involved because the requests are often over SSL and so my machine in the middle breaks the SSL security. Its simply a TCP port redirect. So that works perfectly for Netflix because any part of that service that cares about Geolocation is in the Netflix domain. Hulu on the other hand, has services that are outside of the Hulu domain that take issue with my location - a248.e.akamai.net. you might be wondering why i dont just use a VPN? Well I dont want to tunnel all streaming traffic accross it and Netflix doesnt require all connections to be from the U.S. Only when you browse the Netflix catalog and when you chose a show/movie to watch does the service check location, after that the web browser, Apple TV, other media device is redirected to a CDN to stream the content. and that CDN doesnt care where I am from. So I get better throughput by not tunnelling the video stream. Now a hosts file would fix this problem very nicely.but Apple TV doesnt have a hosts that is accessible and thats where I do most my streaming from. Interestingly, I can watch Hulu on my PC with my current setup with zero problems.