You are not logged in.
I have a problem with Netflix on my Roku - it keeps buffering to 25% and then no further. Some Googling suggests that this is because the Netflix app on the Roku hard codes Google's 8.8.8.8 DNS which, somehow, occasionally breaks incoming data. The suggested solution is to configure your router/firewall to redirect 8.8.8.8 to the DNS server ip of your choice. I'm not entirely convinced by this solution, but I can't find any others and I'm desperate.
My router is a server on my network and it's currently using Arno's IPTables Firewall script to configure the firewall. As far as I can tell there is no option to forward ip x to ip y - all forwarding is based on ports: i,e, forward incoming requests for port 80 to 192.168.0.15.
Arno's script does support custom IPtables rules, so I thought I'd just Google how to do it like that. However, all I can find are rules also based on port forwarding. I did find one solution that suggested I should use this:
iptables -t nat -A OUTPUT -d [ipaddress1] -j DNAT --to-destination [ipaddress2]But, after adding that to my custom rules and restarting the firewall, my system still went looking for Google's DNS servers when resoving 8.8.8.8
Is anyone able to suggest any way I can do this? Or, perhaps I'm completely confused and trying to do the wrong thing - I'm hoping that, if that's the case, someone here will be clever enough to spot it and steer me straight.
Thanks in advance!
Offline
How do you diagnose which address is actually looked for after applying the iptables rule?
I've tried to redirect 8.8.8.8 to localhost, which has unbound installed:
iptables -t nat -A OUTPUT -d 8.8.8.8 -j DNAT --to-destination 127.0.0.1This works for ping (the response time is significantly shorter), but for DNS queries I get:
$ dig archlinux.org @8.8.8.8
;; reply from unexpected source: 192.168.1.100#53, expected 8.8.8.8#53
;; reply from unexpected source: 192.168.1.100#53, expected 8.8.8.8#53
;; reply from unexpected source: 192.168.1.100#53, expected 8.8.8.8#53
; <<>> DiG 9.9.2-P2 <<>> archlinux.org @8.8.8.8
;; global options: +cmd
;; connection timed out; no servers could be reachedYou might need to mangle also the reply using SNAT ('--to-source' option). It would also be a good idea to add destination port checking to mangle only DNS traffic.
Offline
I simply tried a trace:
# tracepath 8.8.8.8
1?: [LOCALHOST] pmtu 1500
1: google-public-dns-a.google.com 0.057ms reached
1: google-public-dns-a.google.com 0.066ms reached
Resume: pmtu 1500 hops 1 back 64 To be fair, it was rather quick and it's possible the resolution to google-public-dns-a.google.com is cached.
Attemting to reproduce your dig comand I get:
dig archlinux.org @8.8.8.8
; <<>> DiG 9.9.2-P2 <<>> archlinux.org @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38533
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;archlinux.org. IN A
;; ANSWER SECTION:
archlinux.org. 61081 IN A 66.211.214.131
;; Query time: 0 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Aug 6 20:00:06 2014
;; MSG SIZE rcvd: 58For completeness, this is what I added to custom-rules:
iptables -t nat -A OUTPUT -d 8.8.8.8 -j DNAT --to-destination 192.168.0.1My understanding is that this should redirect all internal requests to 8.8.8.8 to 192.168.0.1 - which is my router's ip and it is running a DNS server.
Offline
Having now attempted a tracepath without the rule applied - I'm beginning to think that it did work as expected. although some confirmation from someone with more idea than me would help my confidence.
Offline
Regarding the dig command -- I've found out that the 'reply from unexpected source' error occurs only when the dig and iptables commands are run on the same host. Applying the iptables rule on the router instead of my laptop made dig work as expected...
To definitively confirm it, use tcpdump on the router, but I think it already works just fine. Just add the checking to mangle only DNS traffic (UDP port 53):
iptables -t nat -A OUTPUT -d 8.8.8.8 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.0.1Offline
Thanks for all your help. I'm pretty confident that it is working now. Unfortunately, it doesn't seem to have fixed the problem with Netflix... Ah well.
Offline