Saturday, January 3, 2015

Selectively change DNS servers for Netflix with dnsmasq

I recently started using OpenDNS name servers at home to provide some basic content filtering.

We also use Netflix on various devices. Configuring these devices to use custom name servers, we are able to access the US Netflix. But that customization bypasses OpenDNS. Also, it needs to be enabled on each device.

I wanted to find a way to use OpenDNS name servers - preserving content filtering - by default and using the custom name servers for Netflix only. Also nice if the configuration can be done in one place rather than on each device.

It looks like dnsmasq works well for this.

I run dnsmasq on my linux server (Ubuntu 10.04) and point my router (TP-Link Archer D7 AC1750) to use that as the DNS server for DHCP.

(Note "for DHCP" - this was the key. When I tried first setting my dnsmasq server as the router's WAN DNS server, this did not work - browsing any internet page failed on hostname resolution. It needed to be set as the router's DHCP DNS server.)

On the linux server... 

I installed dnsmasq and configured it to do DNS only (not DHCP, I left that to the router).

sudo apt-get install dnsmasq
sudo cp -p /etc/dnsmasq.conf /etc/dnsmasq.conf.0

/etc/dnsmasq.conf

domain-needed
bogus-priv
# not looking in /etc/resolv.conf
no-resolv
# opendns servers are the defaults
server=208.67.222.222
server=208.67.220.220
# nameservers for netflix
# replace x.x.x.x with working primary and secondary servers for US netflix
server=/netflix.com/netflix.net/nflximg.com/x.x.x.x
server=/netflix.com/netflix.net/nflximg.com/x.x.x.x
cache-size=5000
# see what it's doing in /var/log/daemon.log (probably disable this after)
log-queries

Restart the service

sudo service dnsmasq restart

See what it's doing

tail -f /var/log/daemon.log

On the router...

In the WAN configuration, leave OpenDNS name servers configured.

In the DHCP configuration
  • set the IP address of the linux server as the primary name server
  • set the IP address of the router as the secondary (backup if the linux server goes down).

Testing

While testing on Windows, I renewed and flushed ipconfig after each change in the DNS configuration:

ipconfig /renew
ipconfig /flushdns

On the linux box, tail /var/log/daemon.log to confirm that dnsmasq is getting used and what it is doing.

In a browser, try http://www.netflix.com in a new browser window. If it redirects to http://www.netflix.com/us then things are working.

Result

Now each device connecting to the router with DHCP is given the dnsmasq on the linux server as its primary DNS server, and the router - configured for OpenDNS - as the fall back name server.

Netflix USA is served by default to all devices. If I want a device to use the default Netflix for our region, I can change the nameservers on the device to use my router's IP address (so falling back to OpenDNS servers).

In all cases, we are using OpenDNS for everything apart from the Netflix domains, so general content filtering is preserved.

And as a bonus, any host defined in /etc/hosts on the dnsmasq linux server becomes available by name to all DHCP hosts in the network. So I can address a couple of services (logitech media server, plex, ...) running on different boxes by name rather than by IP address.

References

http://www.ireckon.net/2014/05/use-getflix-or-unblock-us-servers-selectively-with-dnsmasq
https://getflix.zendesk.com/hc/en-gb/articles/201056954-Can-I-selectively-use-Getflix-DNS-servers-for-specific-domains-
http://www.raspberrypi.org/forums/viewtopic.php?t=46154
http://www.linux.com/learn/tutorials/516220-dnsmasq-for-easy-lan-name-services