

Netflix restricts streaming from abroad - webdisrupt
http://money.cnn.com/2015/01/05/technology/netflix-vpn/index.html

======
timdierks
The linked-to Reddit post,
[http://www.reddit.com/r/netflix/comments/2qevqt/meta_netflix...](http://www.reddit.com/r/netflix/comments/2qevqt/meta_netflix_is_starting_to_crack_down_on_dns_vpn/),
makes it clear that it's not a VPN restriction: people are configuring DNS
servers to resolve Netflix names with US geographic resolution, but the new
Netflix app is no longer using system DNS settings, it has Google DNS
hardcoded in. Nothing about VPNs, per se.

~~~
crocowhile
Good news then. It means all it takes to bypass this is an iptables rule on a
openwrt router.

~~~
ghuntley
Correct. Either create a firewall rule or if your parents router isn't good
enough create a null static route of 8.8.8.8/255.255.255.255 and
8.8.4.4/255.255.255.255 to the routers IP address with a metric of 2 and
you'll achieve the same affect as a iptables/pf rule.

------
vbezhenar
It's funny that copyright holders restrict people to legally watch their
content and then complain that their content is being pirated.

~~~
valarauca1
>"We think there is a fundamental misconception about piracy," Newell said.
"Piracy is almost always a service problem and not a pricing problem. For
example, if a pirate offers a product anywhere in the world, 24/7, purchasable
from the convenience of your personal computer, and the legal provider says
the product is region-locked, will come to your country three months after the
U.S. release and can only be purchased at a brick and mortar store, then the
pirate's service is more valuable.

-Gabe Newell of Valve

[http://www.ign.com/articles/2011/11/25/gabe-says-piracy-
isnt...](http://www.ign.com/articles/2011/11/25/gabe-says-piracy-isnt-about-
price)

~~~
ghuntley
It is a service problem.

Game of Thrones used to available for 30-40 bucks on iTunes in the form of a
season pass. It allowed Australians to prepurchase the box set of the series
and watch to episodes as they aired (in sync with USA release schedule)

Used to. In Australia we only have one cable company Foxtel which has
advertisements, 10-20mins per 1hr of scheduled programming. Foxtel secured
exclusive rights to season 2 and 3. Now the only legal way to watch game of
thrones is to suscribe under multi year contracts at 24/month, endure the
advertising and to make matters worse episodes were delayed broadcast by 24-48
hours.

Delayed broadcast is a horrible, in Australia it basically means "avoid social
media" for 48h until Foxtel airs or have the storyline ruined. With GOT
whereby every episode was a epic twist piracy won out. Free, Imediate and no
ads.

Aussies got REALLY pissed off and just resulted to pirating from piratebay.
Foxtel got all uppity in the media, calling Australians a bunch of pirates and
then started lobbying government for copyright reform.

------
readme
This title is not completely accurate. If you read the article it specifically
references users attempting to VPN and also using the Netflix Android app.

I am gonna go out on a limb and say the app is probably checking the GPS in
order to achieve this.

Fortunately, GPS can be spoofed with the developer tools if someone wants to
test my theory: [http://stackoverflow.com/questions/2279647/how-to-emulate-
gp...](http://stackoverflow.com/questions/2279647/how-to-emulate-gps-location-
in-the-android-emulator/2279827#2279827)

~~~
dang
We changed the post to use the article's current title, which is consistent
with what you're saying. (The submitted title was "Netflix blocks users
streaming via VPN", which I think may also have been what the article
originally said.)

~~~
webdisrupt
Yes that is correct and apologies for that. After posting the article I found
that there were no changes to the way they detect VPN access. In actual fact
it was some change to just the Android App which is probably DNS resolution.

------
crazygringo
Curious -- how is this technically possible? Does Netflix simply maintain a
blacklist of IP's they know belong to certain VPN services? If you used a VPN
that wasn't popular enough to be "on the radar" (e.g. your corporate VPN based
in the US) would Netflix have any way of blocking it?

~~~
snarkyturtle
For the Android app at least, it's manually setting the DNS lookup to 8.8.8.8
(source:
[http://www.reddit.com/r/netflix/comments/2qevqt/meta_netflix...](http://www.reddit.com/r/netflix/comments/2qevqt/meta_netflix_is_starting_to_crack_down_on_dns_vpn/))

~~~
danesparza
Wow -- so if you lock down your network's DNS (say, to OpenDNS) you can't use
the Netflix app in Android?

~~~
Someone1234
Correct. But in most places that are doing those types of DNS restrictions
they would see this as a win/win, since if you're blocking Google DNS, you're
likely blocking services like Netflix anyway.

------
mhaymo
Netflix told Engadget that there has been "no change" in the way it handles
VPNs: [http://www.engadget.com/2015/01/03/netflix-clamps-down-on-
vp...](http://www.engadget.com/2015/01/03/netflix-clamps-down-on-vpns/)

Possibly this is just a bug that people have misunderstood?

~~~
TillE
Per the CNN article, there's been no change in _policy_. That doesn't exclude
technical changes. Engadget quotes two words, and who knows if they've
accurately represented the context.

------
blacksmith_tb
Hmm, shot by both sides. Now your ISP will throttle your Netflix stream to try
and punish you for not buying video content from them, and Netflix will stop
you from using a VPN to try and slip past your ISP?

~~~
aschampion
I tried this morning and it still worked through domestic VPN, i.e., I'm a US
customer using a VPN exit in the US. It only seems to be targeted at those
using VPNs to get around region restrictions. So it should still be effective
to circumvent ISP tracking, throttling and tampering.

------
kleiba
I wish they could just let paying customers watch whatever they want.

~~~
reledi
So do I, and I bet Netflix does too. But I imagine it's not up to them to
decide. They have to comply with licensing restrictions.

------
chollida1
Interesting. I use unblock-us (no affiliation) which I assumed just switched
your dns to make it look like you were in another country.

[http://superuser.com/q/617266/6263](http://superuser.com/q/617266/6263)

Can someone educate me as to why people need to use a vpn to access Netflix
instead of a service like the above?

Is it only for people in countries that Netflix doesn't service?

 __EDIT __, yes I 'm well aware of the different catalogs in different
countries, that's the point of using unblock-us:) That doesn't answer the
question I had asked:)

~~~
ghuntley
From what I've read it is speculated that NetFlix is now doing nslookups
within the actual client with a internal whitelist of DNS servers; ie the
client no loner trusts the results from the system configured resolvers and
does spot checks.

Workaround is simple really; null route the DNS servers at your router. I have
to do this anyway to get chromecast working with UnblockUS as the chromecast
is configured explictitly from the factory in a attempt to prevent these
things.

* create static route at router for 8.8.8.8/255.255.255.255 to your routers IP with metric of 2. Then do the same with 8.8.4.4. Note this disables querying googles DNS infrastructure on all devices connected on the network.

~~~
diminoten
I'm not fully sure I understand this, so what this will do is the client will
attempt and fail to check DNS, so it'll fall back to the DNS you're providing
again?

~~~
ghuntley
Configure your router with DHCP and instead of using the upstream DNS server
from your ISP configure in the servers from UnblockUS. Additionally create a
firewall rule or null static route that denies all network connectivity to
8.8.8.8 and 8.8.4.4.

Under the above configuration the chromecast will obtain a IP address and the
DNS resolver from the router. Chromecast devices provide no way to configure
DNS servers and by default does not trust the responses from your router,
instead it trusts and uses Google DNS servers, it's only when network
connectivity is blocked does the chromecast "degrade" to using the DNS server
provided by the router.

If your router is good enough I highly suggest creating two networks by
aliasing your uplink, then applying a firewall rule to the uplink that blocks
the DNS servers and then tagging by MAC address all devices such as
TV/Consoles etc.

That way for day to day computering you can use your standard resolvers but
traffic is from entertainment network/devices is forced to go out via your
tagged uplink - which blocks google DNS and uses UnblockUS for resolution.

Better security practice as it means you can be very specific as to what
devices should be allowed to be man in the middled/traffic rewritten by
UnblockUS. MITM your TV? who cares, MITM your workstation - yeah not a good
idea.

------
dante9999
Aside from detecting your ip location they must be running some other proxy
detecting schemes.

I live in Europe and have squid proxy server running on my Amazon instance
located in Portland, Oregon (something like my private "free proxy"). It works
ok in Firefox, but fails in Chrome, can't really figure out why. I suspect
chrome extension I use to easily manage proxies adds some custom header that
is detected by Netflix. And it's NOT some obvious header like "via" or
"x-forwarded-for" which I disabled as a matter of course in squid conf. All
"locate my ip" sites tell me I'm from US, but netflix tells me I'm from x
(which is my homecountry).

Alternative to running http proxy such as squid is using ssh socks
proxy(provided server you ssh to is located in US). This cannot be detected by
any means IMO.

------
bhauer
Assuming there is any validity to this story, I feel this is at least somewhat
ironic considering Netflix's position as posterboy for "network neutrality."
If one is neutral about the network, it should be of no concern whether the
user is accessing Netflix via direct TCP/UDP or an encrypted tunnel. Nor
should it matter what the client's IP address is.

I don't mean to imply that Netflix is actually in favor of a truly neutral
network—or even whether or not a truly neutral network can in practice
exist—but rather to highlight how "neutrality" means different things to
different people.

~~~
Sharlin
Pretty sure the copyright owners who are evidently behind this couldn't care
less about network neutrality; but for some reason they _do_ care quite a bit
about who can watch what in which country.

------
tyrion
Wouldn't it be easier for Netflix to ask for a valid US ID document to its
customers to prevent this? Or would this be considered a violation of privacy
somehow?

Filtering users by ip address should not be allowed IMHO. What if I am a
legitimate user traveling in Europe or some other "blocked" country? Aren't
them violating my rights then?

Or even better, what if I am a legitimate user (e.g. an US citizen) using one
of those VPN, on what legal grounds are they denying me the access to the
service?

(I am sorry if these questions may look stupid to you, please don't kill me
:P)

~~~
micheljansen
For start, that would significantly increase the barrier to registration and
almost certainly put a _lot_ of potential customers off.

------
yitchelle
Netflix (and partners) should take the lead and make its content accessible
without any border restrictions. There is no technical reason for this
restriction. It is purely for the purpose of getting more money. Is the
problem purely a copyright issue, or is it something else? Eg, the government
of the non-US country losing out of tax revenue from the non-US Netflix
subscriptions.

~~~
redblacktree
They have to play nice with Hollywood in order to get content. Doing something
like this would be giving them the middle finger, and Netflix doesn't want to
do that.

------
codezero
I hope they don't hit my VPN, I use it to get around ISP throttling.

Edit: since this is a DNS hack, looks like I'll be OK.

------
joelthelion
That's completely ridiculous. I guess people who are frequently abroad will
simply go back to pirating.

------
joncp
Educate me. What's stopping people from sending their DNS queries through the
VPN as well?

------
mwg
This has not affected me yet - has it anyone else?

------
dachia
How is it possible to block vpn access?

------
leeoniya
just when we thought, "Finally, here's a content delivery system that isnt
artificially limited by some stupid regional, device (DRM), screen-size or
targeted release-date rules."

------
faragon
Why? Shut up and take my money! :-D

