I subscribe to Getflix, which is quite similar to Unblock-Us in that it allows users to access geo-blocked content. The basic method to use these services is to set one’s device to use their provided DNS servers, but this sends all DNS requests their way. I wanted only to use their DNS servers to resolve specific geo-blocked URLs.
There are a couple of reasons you might want to do this – you may be concerned about yet another party being privy to your site visits, and in my case I wanted to retain the faster, closer DNS servers provided by my ISP for the majority of my web requests.
Dnsmasq is present in several flavours of custom firmware available for many consumer routers, but since that was unavailable to me I have set it up on my NAS, which runs the Ubuntu-server linux distro. There are many guides for setting up Dnsmasq on many systems (for me it was as easy as “sudo apt-get install dnsmasq”), so I’ll just stick to explaining why I’ve configured it as I have.
Here is my Dnsmasq configuration file. Much of this isn’t necessary for this goal but I’ve kept it intact for context. I’ll go through why I’ve made certain decisions and it may help someone else.
# /etc/dnsmasq.conf # regular dns servers (IPs redacted) server=x.x.x.x server=x.x.x.x server=x.x.x.x server=x.x.x.x # getflix primary dns server=/getflix.com.au/220.127.116.11 server=/netflix.com/18.104.22.168 server=/watchafl.afl.com.au/rightster.com/22.214.171.124 server=/hulu.com/a248.e.akamai.net/126.96.36.199 server=/pbs.org/188.8.131.52 server=/bbc.co.uk/cp143012-i.akamaihd.net/184.108.40.206 server=/itv.com/220.127.116.11 server=/channel4.com/18.104.22.168 # getflix secondary dns server=/getflix.com.au/22.214.171.124 server=/netflix.com/126.96.36.199 server=/watchafl.afl.com.au/rightster.com/188.8.131.52 server=/hulu.com/a248.e.akamai.net/184.108.40.206 server=/pbs.org/220.127.116.11 server=/bbc.co.uk/cp143012-i.akamaihd.net/18.104.22.168 server=/itv.com/22.214.171.124 server=/channel4.com/126.96.36.199 # settings interface=em1 # accept requests from the em1 interface bogus-priv # don't forward non-routable (local) addresses domain-needed # don't forward incomplete hostnames (names without dots) no-resolv # don't read /etc/resolv.conf to get upstream servers all-servers # use all servers, use the first returned #strict-order # query servers in the order they appear domain=local # set the domain name of this network local=/local/ # set selected domains to only resolve locally expand-hosts # add our domain name to our local hostnames cache-size=10000 # increase the cache to 10k records no-hosts # don't use the regular hosts file addn-hosts=/etc/dnsmasq.hosts # use alternate hosts file # dhcp: set range, netmask and lease time for unidentified clients dhcp-range=192.168.1.100,192.168.1.199,255.255.255.0,168h read-ethers # read the /etc/ethers file for static assignment dhcp-option=3,192.168.1.1 # set the gateway (router) # logging log-facility=/var/log/dnsmasq # log file #log-queries # log dns queries #log-dhcp # log dhcp activity # disable a bunch of windows stuff filterwin2k # block certain unnecessary windows requests dhcp-option=19,0 # set ip-forwarding off dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP (WINS) nameserver(s) dhcp-option=45,0.0.0.0 # netbios datagram distribution server dhcp-option=46,8 # netbios node type dhcp-option=252,"\n" # tell windows not to ask for proxy info dhcp-option=vendor:MSFT,2,1i # tell windows to release lease on shutdown
The upstream DNS servers have been selected by their speed from my location (according to namebench). Farther down I’ve also set the “all-servers” flag, which means that every request I make is resolved by each server that I’ve configured, and the first response is accepted. Like this fellow, I found that it resulted in a tremendous resolution speed increase. This is a terrible setting for a big network to use because of the increased traffic, but since I’m just a home user and since I’m caching my requests it’s not such a big deal. Were I not using this I might have gone for the “strict-order” option, to ensure that the faster servers I’ve listed at the top are tried first.
The Getflix server block defines which URLs are to be resolved via the Getflix servers, using some domains I found here, plus a few more that they hadn’t updated at the time of writing. Each server line is saying that for each of these addresses, use this DNS server to resolve it. I could have put all of them on one line, but preferred to separate them according to the service being accessed. I have repeated this whole block for the secondary Getflix DNS server.
I’ve commented the settings but it’s worth mentioning a few. I have specified the interface to listen on even though there’s only the one point of entry on my network. Recent versions of Dnsmasq block all traffic if nothing is specified here, which is the opposite to its previous behaviour.
I’ve specified that Dnsmasq is not to read nameservers from the /etc/resolv.conf file and not to read hostnames from the /etc/hosts file. Both of these are used by the system for other purposes as well, and I wanted to keep Dnsmasq ‘clean’. I’ve specified my own hosts file specifically for Dnsmasq instead. It looks something like this:
# /etc/dnsmasq.hosts 192.168.1.1 red 192.168.1.2 green 192.168.1.10 blue 192.168.1.20 yellow 192.168.1.30 purple
Dnsmasq is also being used as a DHCP server, so I’m specifying my gateway (the router) and an IP range to be used for unidentified clients. This includes a subnet value, which is required because my router is a DHCP relay. Thanks to the “read-ethers” option I can specify clients requiring static IPs in the /etc/ethers file, which looks a little like this:
# /etc/ethers 28:91:4a:2b:0b:21 192.168.1.2 20:c7:d0:9b:db:7f 192.168.1.10 08:50:6e:e7:3e:95 192.168.1.20 84:35:35:3f:15:78 192.168.1.30
While troubleshooting my setup I was logging DHCP and DNS activity on top of the standard Dnsmasq reporting, but I’ve turned both off now. The final block of the config turns off a bunch of stuff related to Windows clients, which I do have, but my network is so small that they are pointless overheads.
That’s about it! Let me know if you have any questions about my configuration, or if you can help me improve upon it. My thanks to these articles, which pointed me in the right direction:
- Setting up dnsmasq with Ubuntu 10.04 for home networking
- Dnsmasq For Easy LAN Name Services
17 May 2014: Since posting this I’ve changed router, and the new one doesn’t support DHCP relaying. So I’m now doing DHCP on the router itself and am simply using Dnsmasq for DNS. I have commented out all of the DHCP lines in /etc/dnsmasq.conf and therefore no longer use /etc/ethers, but everything still works as before.