Docker packaged smart DNS proxy to watch Netflix, Hulu[n2], HBO Now and others out of region using BIND and sniproxy[n1].
The following are supported out of the box, however adding additional services is trivial and is done by updating zones.override file and running docker restart bind:
- Netflix
- Hulu[n2]
- HBO Now
- Amazon Instant Video
- Crackle
- Pandora
- Vudu
- blinkbox
- NBC Sports and potentially many more
The following paragraphs show how to get this solution up and running with a few different Cloud providers I've tried so far.
The following is based on a standard Ubuntu Docker image provided by DigitalOcean, but should in theory work on any Linux distribution with Docker pre-installed.
- Head over to Digital Ocean to get $10 USD credit to create a Docker VM
- Create a
DropletusingDocker 1.xonUbuntu 14.04(find in under Applications images). - Make sure you create the
Dropletin the right location, for example if you want to watch US content, create in the US. - SSH to your
Dropletand run the following command.. cd /opt && git clone https://github.com/ab77/netflix-proxy.git && cd netflix-proxy && ./build.sh- Point your DNS at the Droplet IP and watch
Netflix,HuluandHBO Nowout of region. - Enjoy or raise a new issue if something doesn't work quite right..
If you want to share your system with friends and family, you can authorise their home IP address(s) as follows (where x.x.x.x is the IP address) by running:
sudo iptables -I FRIENDS -s x.x.x.x/32 -j ACCEPT
iptables-save > /etc/iptables/rules.v4 || iptables-save > /etc/iptables.rules
To remove previous authorised IP address, run:
sudo iptables -D FRIENDS -s x.x.x.x/32 -j ACCEPT
iptables-save > /etc/iptables/rules.v4 || iptables-save > /etc/iptables.rules
The build script automatically configures the system with DNS recursion turned on. This has security implications, since it potentially opens your DNS server to a DNS amplification attack, a kind of a DDoS attack. This should not be a concern however, as long as the iptables firewall rules configured automatically by the build script for you remain in place. However if you ever decide to turn the firewall off, please be aware of this.
If you want to turn DNS recursion off, please be aware that you will need a mechanism to selectively send DNS requests for domains your DNS server knows about (i.e. netflix.com) to your VPS and send all of the other DNS traffic to your local ISP's DNS server. Something like Dnsmasq can be used for this and some Internet routers even have it built in. In order to switch DNS recursion off, you will need to build your system using the following command:
cd /opt && git clone https://github.com/ab77/netflix-proxy.git && cd netflix-proxy && ./build.sh -r 0 -b 1
The following command line options can be optionaly passed to build.sh for additional control:
Usage: ./build.sh [-r 0|1] [-b 0|1] [-c <ip>]
-r enable (1) or disable (0) DNS recursion (default: 1)
-b grab docker images from repository (0) or build locally (1) (default: 0)
-c specify client-ip instead of being taken from ssh_connection[n3]
The following is based on a standard Ubuntu image provided by Linode, but should work on any Linux distribution without Docker installed.
- Head over to Linode and sign-up for an account.
- Create a new
Linodeand deploy anUbuntu 14-04 LTSimage into it. - Make sure you create the Linode in the right location, as there a few to pick from.
- SSH to your
Linodeand run the following command.. curl -sSL https://get.docker.com/ | sh && cd /opt && git clone https://github.com/ab77/netflix-proxy.git && cd netflix-proxy && ./build.sh- Point your DNS at the
LinodeIP and watchNetflix,Huluand/orHBO Nowout of region. - Binge. Not that there is anything wrong with that or raise a new issue if something doesn't work quite right..
The following is based on a standard Ubuntu image provided by DreamHost, but should work on any Linux distribution without Docker installed and running under non-root user.
- Head over to DreamHost and sign-up for an account.
- Find the
DreamComputeorPublic Cloud Computingsection and launch anUbuntu 14-04-Trustyinstance. - Make sure to add an additional firewall rule to allow DNS:
Ingress IPv4 UDP 53 0.0.0.0/0 (CIDR) - Also add a
Floating IPto your instance, otherwise it will only have an IPv6 IP. - SSH to your instance and run the following command..
curl -sSL https://get.docker.com/ | sh && sudo usermod -aG docker $(who am i | awk '{print $1}') && cd /opt && sudo git clone https://github.com/ab77/netflix-proxy.git && cd netflix-proxy && ./build.sh- Point your DNS at the instance IP and watch
Netflix,Huluand/orHBO Nowout of region. - Well done, enjoy or raise a new issue if something doesn't work quite right..
This solution is meant to be a quick and dirty (but functional) method of bypassing geo-restrictions for various services. While it is (at least in theory) called a smart DNS proxy, the only smart bit is in the zones.override file, which tells the system which domains to proxy and which to pass through. You could easilly turn this into a dumb DNS proxy, by replacing the contents of zones.override with a simple[n4] statement:
zone "." {
type master;
file "/data/db.override";
};
This will in effect proxy every request that ends up on your VPS if you set your VPS IP as your main and only DNS server at home. Ideally, what you really want to do, is to have some form of DNS proxy at home, which selectively sends DNS requests to your VPS only for the domains you care about (i.e. netflix.com) and leaves everything else going out to your ISP DNS server(s). Dnsmasq could be used to achieve this, in combination, perhaps, with a small Linux device like Raspberry Pi or a router which can run OpenWRT.
There is a similar project to this, which automates the Dnsmasq configuration.
-- ab1
[n1] https://github.com/dlundquist/sniproxy by Dustin Lundquist [email protected]
[n2] At the time of writing (May 2015), Hulu appears to be geo-restricted from DigitalOcean and Linode US IPs, but worked for a short time from a DreamCompute IAD DC IP. It also seems to be working from Amazon EC2 IPs.
[n3] You can now specify your home/office/etc. IP manually using -c <ip> option to build.sh.
[n4] See, serverfault post.