Since I posted this response to a question about unblocking Netflix on the PS4, I have been asked by several redditors to create a dedicated post so that (hopefully) the mods will pin it and it gets the visibility it needs.
Since the Netflix VPN crackdown a few weeks ago, many commercial VPN providers have deployed custom DNS rules so that Netflix interprets the login request as originating from a residential ISP instead of a data center or commercial provider. If you’re curious about how this works, Google DNSmasq, SNIProxy, and Squid proxies.
This fix works perfectly for Apple TV/iOS devices and desktop web browsers, but it does not resolve Netflix geoblocking within the Netflix apps installed on Android TV, Fire TV, Chromecast, and PS4 devices. The reason for this is because the Netflix apps on these platforms use hard-coded DNS servers instead of utilizing the DNS servers configured by the VPN provider. If you use an Android TV, Fire TV, Chromecast, or PS4 within your home network and you want unblock Netflix libraries from other countries, you must follow the steps outlined below.
Prerequisites:
- Router that supports OpenVPN connections
- Router that supports remote SSH access
Step #1 - Configure OpenVPN connection on your router
Contact your VPN provider and request the OpenVPN connection file for the Netflix country that you want to unblock. This will be a file with a “.ovpn” extension. You need to setup this OpenVPN connection on your router. I can’t provide instructions because the setup process varies slightly for each router. Here’s a guide that should get you started. Once this is configured, you need to enable the VPN connection.
Step #2 - Configure transparent DNS proxy on your router
This is where the magic happens! This will force the Netflix app to use the “smart DNS” servers configured by your VPN provider instead of the hard-coded DNS servers setup by the Netflix development team.
- Contact your VPN provider for the IP address of their DNS server that unlocks Netflix. For WeVPN, the DNS server IP is 10.255.0.1
- Login to your router’s configuration page and enable SSH access. Instructions for your model should be attainable via a Google search.
- Open a command prompt (Windows 10) or terminal window (Linux & Mac) and type “ssh admin@” (without quotes). Replace with your router’s IP address.
- Once connected, type each line below and press enter:
iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to-destination <VPN_DNS_SERVER>
iptables -t nat -A PREROUTING -p tcp --dport 53 -j DNAT --to-destination <VPN_DNS_SERVER>
iptables -t nat -A PREROUTING -p udp --dport 853 -j DNAT --to-destination <VPN_DNS_SERVER>
iptables -t nat -A PREROUTING -p tcp --dport 853 -j DNAT --to-destination <VPN_DNS_SERVER>
Replace <VPN_DNS_SERVER> with the IP address of the DNS server that you obtained from your VPN provider previously.
If the router loses power or is rebooted, these rules will be erased and will need to be reapplied. It is recommended that you save these in a text file.
DISCLAIMER: This will route all DNS queries to your VPN DNS server.
Questions I’ve been asked so far…
Q: I applied these rules and Netflix still detects that I’m using a proxy/VPN. What should I do?
A: First, try logging out of the Netflix app and logging back in. It could be a caching issue. It’s possible that your VPN provider hasn’t implemented a DNS workaround to unblock Netflix yet. So far, this fix works for WeVPN, Nord, and Windscribe.
Q: I never had to setup this configuration previously. What changed?
A: Netflix has cracked down on VPNs in the past few weeks and has blocked most VPN IPs. This DNS redirect that many VPN providers have deployed is a workaround to circumvent this.
Q: My router doesn’t support OpenVPN connections or SSH access. What options do I have?
A: You should replace your router with one that supports more advanced features. I recommend Asus routers that support Merlin firmware. Checkout FlashRouters for devices that are ready to be configured out of the box.
Q: How will the DNS redirect work when the OpenVPN connection is not active on my router?
A: DNS queries will not resolve if the OpenVPN connection is disabled on the router.
Q: Can I brick my router by doing this?
A: No
Q: What network service uses port 853?
A: DNS over TLS. Some devices don’t use this but Chromecast does.
Q: My ISP requires that I use their modem/router combination device. What options do I have?
A; You can configure a more advanced router behind your ISP router.
Q: Do I need to apply this configuration on my router if I install a VPN app on my Android TV or Fire stick?
A: Yes you do. The VPN app does not eliminate the hard-coded DNS servers embedded in the Netflix app.
Q: Why do VPN providers use commercial/data center IP addresses that Netflix can easily block? Why don’t they use residential IPs?
A: Because residential IPs are very expensive and the bandwidth on residential plans are typically limited. By using DNS redirect, VPN providers can scale out a low-cost/low-bandwitdth solution.
Q: Should I be concerned that my VPN provider will be able to see all of my DNS queries?
A: Not if you trust your VPN provider’s “no logging” policy. Unless you’re trading state secrets, you shouldn’t be concerned.
Q: Will these rules work with other streaming services (BBC iPlayer, Disney+, Hulu, HBO Max, Paramount+, CBC, etc.)?
A: Yes it will once your VPN provider applies DNS redirect rules for these services. Considering the “success” that Netflix has achieved by blocking VPN IPs, it’s only a matter of time before other streaming services follow suit.
Q: Will this fix work for “smart DNS” services such as GetFlix or SmartDNSProxy?
A: Possibly, but it may be less reliable due to DNS caching.
Q: Why does Netflix choose to hard-code DNS servers only on certain devices (Chromecast, Android TV, Fire TV)? Why isn’t this a problem on the Netflix app on Apple TV or iOS devices?
A: It’s simple. Apple doesn’t allow apps to hijack DNS servers. So, the Netflix iOS app must use the DNS servers supplied by the operating system or router.
Q: How resilient is this solution to the Netflix VPN ban?
A: If your VPN provider has implemented DNS redirection properly, it is almost 100% effective. Netflix could block any residential IPs that VPN providers use for DNS lookups, but that would impact “legitimate” Netflix customers.
