Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

How does Unblock US actually work?

Options
  • 03-04-2014 3:49pm
    #1
    spoonface
    Registered Users Posts: 339 ✭✭


    Hi,
    I'm trying to figure out how Unblock-US works, a bit deeper than explained in their FAQ

    I understand that Unblock-US uses a DNS server to respond to certain queries like *.netflix.com with the IP of their own servers, but after that, how does it work that the client PC communicates with Netflix without the browser alerting of a possible man-in-the-middle attack?

    I know that it's possible to use a SNI proxy to handle some of the queries but this will not work for all browsers.

    So how do you reckon Unblock US achieves rerouting SSL connections through their region-local servers to Netflix's servers without it causing SSL trouble that leads to the browser raising security warnings?

    I'm really scratching my head on this one!
    Tagged:


Comments

  • Options
    #2
    Cuddlesworth
    Registered Users Posts: 13,981 ✭✭✭✭Cuddlesworth


    Geo-DNS loadbalancing. Your DNS request is proxied through their servers in the US, not forwarded.

    Netflix as a service seems to geolocate you based on your initial DNS request and not bother at any other stages in the process of communicating to them. Its not that unreasonable, since Netflix have a pretty comprehensive network of caching servers spread across many networks and locations.

    If they added additional geolocation checks against your actual IP, it would have to be across every node in the service adding complexity and resource requirements, since every node would have to check back against a IP database for the second time.

    I also think they might turn a blind eye, stating they did their due diligence. I'm not sure how media-hint is operating. I don't like that one.


  • Options
    #3
    spoonface
    Registered Users Posts: 339 ✭✭spoonface


    That sounds sensible. What they seem to be doing is serving DNS entries related to Netflix to point to their own Squid servers, which handle the traffic.

    But everything I read about Squid as a loadbalancer for https implies that 2 tunnels will be set up (1 from client-pc to loadbalancer and one from loadbalancer to server), meaning that it will appear to be a man-in-the-middle attack, raising browser warnings. How is this to be avoided?


  • Options
    #4
    Cuddlesworth
    Registered Users Posts: 13,981 ✭✭✭✭Cuddlesworth


    spoonface wrote: »
    That sounds sensible. What they seem to be doing is serving DNS entries related to Netflix to point to their own Squid servers, which handle the traffic.

    But everything I read about Squid as a loadbalancer for https implies that 2 tunnels will be set up (1 from client-pc to loadbalancer and one from loadbalancer to server), meaning that it will appear to be a man-in-the-middle attack, raising browser warnings. How is this to be avoided?

    I'm not sure what you mean. When I was using UnblockUS, my traffic was direct, my DNS is proxied. No HTTP traffic goes through their service. Media hint uses a PAC configuration file, which I have not looked into yet.


  • Options
    #5
    spoonface
    Registered Users Posts: 339 ✭✭spoonface


    How can you be sure the traffic was direct? As far as I can tell, the video stream is direct but *.netflix.com is not i.e. they use their DNS service to give you a faked response to *.netflix.com , which then goes through their proxies, not direct to the actual netflix.com


  • Options
    #6
    Cuddlesworth
    Registered Users Posts: 13,981 ✭✭✭✭Cuddlesworth


    spoonface wrote: »
    How can you be sure the traffic was direct? As far as I can tell, the video stream is direct but *.netflix.com is not i.e. they use their DNS service to give you a faked response to *.netflix.com , which then goes through their proxies, not direct to the actual netflix.com

    Netflix.com was resolving to a known American IP block they use with the service active.

    The actual video stream is DNS independant, see page 14 of this PDF.

    If the IP address being given is the address of a actual netflix server then my traffic is not being proxied.

    I also checked quite a few other sites as well.

    Besides running a popular proxy service specifically for video streaming services would be something that would raise quite a few eyebrows.


  • Advertisement
  • Options
    #7
    spoonface
    Registered Users Posts: 339 ✭✭spoonface


    Take for example customerevents.netflix.com , which is called during a user's session with Netflix, before the actual video stream content comes down through a CND.

    For example, the US-unblock DNS Server returns the following for customerevents.netflix.com:

    customerevents-1848156627.us-west-9.elb.amazonaws.com [67.216.222.42]

    But the IP above is not Netflix's.


  • Options
    #8
    Cuddlesworth
    Registered Users Posts: 13,981 ✭✭✭✭Cuddlesworth


    Netflix use amazon's cloud for most of their content delivery system. When I looked at it before I was primarily interested in the IP's given for video streaming. As that was were I noticed a major difference in IP range given.


    ***************>nslookup customerevents.netflix.com
    Server: router.asus.com
    Address: 192.168.2.1

    Non-authoritative answer:
    Name: beaconserver-ce-543201710.eu-west-1.elb.amazonaws.com
    Addresses: 176.34.114.99
    176.34.114.232
    46.51.178.105
    Aliases: customerevents.netflix.com



    **************>nslookup netflix.com
    Server: router.asus.com
    Address: 192.168.2.1

    Non-authoritative answer:
    Name: netflix.com
    Address: 69.53.236.17


Advertisement