I subscribe to Getflix, which is quite similar to Unblock-Us in that it allows users to access geo-blocked content. The basic method to use these services is to set one’s device to use their provided DNS servers, but this sends all DNS requests their way. I wanted only to use their DNS servers to resolve specific geo-blocked URLs.

There are a couple of reasons you might want to do this – you may be concerned about yet another party being privy to your site visits, and in my case I wanted to retain the faster, closer DNS servers provided by my ISP for the majority of my web requests.

Dnsmasq is present in several flavours of custom firmware available for many consumer routers, but since that was unavailable to me I have set it up on my NAS, which runs the Ubuntu-server linux distro. There are many guides for setting up Dnsmasq on many systems (for me it was as easy as “sudo apt-get install dnsmasq”), so I’ll just stick to explaining why I’ve configured it as I have.

Here is my Dnsmasq configuration file. Much of this isn’t necessary for this goal but I’ve kept it intact for context. I’ll go through why I’ve made certain decisions and it may help someone else.

# /etc/dnsmasq.conf

# regular dns servers (IPs redacted)
server=x.x.x.x
server=x.x.x.x
server=x.x.x.x
server=x.x.x.x

# getflix primary dns
server=/getflix.com.au/54.252.183.4
server=/netflix.com/54.252.183.4
server=/watchafl.afl.com.au/rightster.com/54.252.183.4
server=/hulu.com/a248.e.akamai.net/54.252.183.4
server=/pbs.org/54.252.183.4
server=/bbc.co.uk/cp143012-i.akamaihd.net/54.252.183.4
server=/itv.com/54.252.183.4
server=/channel4.com/54.252.183.4

# getflix secondary dns
server=/getflix.com.au/54.252.183.5
server=/netflix.com/54.252.183.5
server=/watchafl.afl.com.au/rightster.com/54.252.183.5
server=/hulu.com/a248.e.akamai.net/54.252.183.5
server=/pbs.org/54.252.183.5
server=/bbc.co.uk/cp143012-i.akamaihd.net/54.252.183.5
server=/itv.com/54.252.183.5
server=/channel4.com/54.252.183.5

# settings
interface=em1       # accept requests from the em1 interface
bogus-priv          # don't forward non-routable (local) addresses
domain-needed       # don't forward incomplete hostnames (names without dots)
no-resolv           # don't read /etc/resolv.conf to get upstream servers
all-servers         # use all servers, use the first returned
#strict-order       # query servers in the order they appear
domain=local        # set the domain name of this network
local=/local/       # set selected domains to only resolve locally
expand-hosts        # add our domain name to our local hostnames
cache-size=10000    # increase the cache to 10k records
no-hosts            # don't use the regular hosts file
addn-hosts=/etc/dnsmasq.hosts   # use alternate hosts file

# dhcp: set range, netmask and lease time for unidentified clients
dhcp-range=192.168.1.100,192.168.1.199,255.255.255.0,168h
read-ethers                     # read the /etc/ethers file for static assignment
dhcp-option=3,192.168.1.1       # set the gateway (router)

# logging
log-facility=/var/log/dnsmasq   # log file
#log-queries                    # log dns queries
#log-dhcp                       # log dhcp activity

# disable a bunch of windows stuff
filterwin2k                     # block certain unnecessary windows requests
dhcp-option=19,0                # set ip-forwarding off
dhcp-option=44,0.0.0.0          # set netbios-over-TCP/IP (WINS) nameserver(s)
dhcp-option=45,0.0.0.0          # netbios datagram distribution server
dhcp-option=46,8                # netbios node type
dhcp-option=252,"\n"            # tell windows not to ask for proxy info
dhcp-option=vendor:MSFT,2,1i    # tell windows to release lease on shutdown

The upstream DNS servers have been selected by their speed from my location (according to namebench). Farther down I’ve also set the “all-servers” flag, which means that every request I make is resolved by each server that I’ve configured, and the first response is accepted. Like this fellow, I found that it resulted in a tremendous resolution speed increase. This is a terrible setting for a big network to use because of the increased traffic, but since I’m just a home user and since I’m caching my requests it’s not such a big deal. Were I not using this I might have gone for the “strict-order” option, to ensure that the faster servers I’ve listed at the top are tried first.

The Getflix server block defines which URLs are to be resolved via the Getflix servers, using some domains I found here, plus a few more that they hadn’t updated at the time of writing. Each server line is saying that for each of these addresses, use this DNS server to resolve it. I could have put all of them on one line, but preferred to separate them according to the service being accessed. I have repeated this whole block for the secondary Getflix DNS server.

I’ve commented the settings but it’s worth mentioning a few. I have specified the interface to listen on even though there’s only the one point of entry on my network. Recent versions of Dnsmasq block all traffic if nothing is specified here, which is the opposite to its previous behaviour.

I’ve specified that Dnsmasq is not to read nameservers from the /etc/resolv.conf file and not to read hostnames from the /etc/hosts file. Both of these are used by the system for other purposes as well, and I wanted to keep Dnsmasq ‘clean’. I’ve specified my own hosts file specifically for Dnsmasq instead. It looks something like this:

# /etc/dnsmasq.hosts
192.168.1.1     red
192.168.1.2     green
192.168.1.10    blue
192.168.1.20    yellow
192.168.1.30    purple

Dnsmasq is also being used as a DHCP server, so I’m specifying my gateway (the router) and an IP range to be used for unidentified clients. This includes a subnet value, which is required because my router is a DHCP relay. Thanks to the “read-ethers” option I can specify clients requiring static IPs in the /etc/ethers file, which looks a little like this:

# /etc/ethers
28:91:4a:2b:0b:21 192.168.1.2
20:c7:d0:9b:db:7f 192.168.1.10
08:50:6e:e7:3e:95 192.168.1.20
84:35:35:3f:15:78 192.168.1.30

While troubleshooting my setup I was logging DHCP and DNS activity on top of the standard Dnsmasq reporting, but I’ve turned both off now. The final block of the config turns off a bunch of stuff related to Windows clients, which I do have, but my network is so small that they are pointless overheads.

That’s about it! Let me know if you have any questions about my configuration, or if you can help me improve upon it. My thanks to these articles, which pointed me in the right direction:

• Setting up dnsmasq with Ubuntu 10.04 for home networking
• Dnsmasq For Easy LAN Name Services
• HowTo/dnsmasq

Updates

17 May 2014: Since posting this I’ve changed router, and the new one doesn’t support DHCP relaying. So I’m now doing DHCP on the router itself and am simply using Dnsmasq for DNS. I have commented out all of the DHCP lines in /etc/dnsmasq.conf and therefore no longer use /etc/ethers, but everything still works as before.