IP based geo-location with DNS

[dawks]

There are several services popping up now that allow residents of one country to appear to be located in another country. Un-blockus, tunlr, adfreetime, and USaccess to name a few.

I'm wondering how they do this.. All you need to do is change your DNS server to their service, and off you go. From what I've read, they are just redirecting a portion of the process thats involved in ip-geo-location. From then on, you communicate directly with a content providers servers for full performance.

Any idea how this is done? As a learning experiment, I'd like to try and implement this myself on my VPS, but I can't find any info on how to do it. I'm not sure what to search for. I know I can do this with a proxy or VPN (already have that working), I'm just curious to learn how its done with just DNS.

Thanks

 

[Fardringle]

It's not just a DNS change. You actually connect to their VPN servers and then all of your Internet traffic is routed through their server so that it actually _is_ coming from a different physical location as far as the web sites and content providers are concerned.

 

[dawks]

No, the ones I've mentioned are specifically DNS, there is no VPN configuration on the users side. I use one of these DNS servers on my Apple TV to get US Netflix all the time, and there is no VPN client on Apple TV.

 

[kevnich2]

No, the ones I've mentioned are specifically DNS, there is no VPN configuration on the users side. I use one of these DNS servers on my Apple TV to get US Netflix all the time, and there is no VPN client on Apple TV.

All DNS does is translate domain names into it's numerical IP address. Obviously the farther they are away from you, latency wise, the longer you're web browsing will be because all name resolution will be going farther distances. Your IP address is what tells others servers where you're at. The reason your Apple TV worked that way is because the DNS servers you used in the states returned US based server IP addresses that were closest to the DNS server you used.

 

[JackMDS]

Bench Mark DNS.

https://www.grc.com/dns/benchmark.htm

 

[dawks]

All DNS does is translate domain names into it's numerical IP address. Obviously the farther they are away from you, latency wise, the longer you're web browsing will be because all name resolution will be going farther distances. Your IP address is what tells others servers where you're at. The reason your Apple TV worked that way is because the DNS servers you used in the states returned US based server IP addresses that were closest to the DNS server you used.

You really think its that simple? So if I set up a DNS server on my VPS and use it, Netflix will think I'm in the US?

I actually normally use Verizon/Level3 Servers (4.2.2.2, 4.2.2.3) or OpenDNS (208.67.222.222) or Googles (8.8.8.8) all in the US, but these don't work. I have to use one of those paid servers to make it work.

I'm not looking for performance Jack, but yes, I do use GRC's DNS benchmark often. I've even recommended it a few times on the forums

I actually know quite a bit about DNS, VPN's, and Proxies, (I run my own DNS servers at work) etc but I'm still trying to figure out how these services work. Theres a reason people are paying for these DNS services, and I'd just like to do it myself. I dont think the only magic is that the servers are closer to netflix or hulu, theres something else.

 

[seepy83]

I agree...there's something else going on here but I'm not sure what. I thought maybe they were using DNS to set up a kind of ad-hoc proxy with their own server when you send a query for one of the services that requires you to be in the US. But I tested with tunlr's DNS servers, and my query to them returned the same results for hulu as if I query my usual DNS...so that rules out them redirecting you to a proxy server.

 

[Lifted]

You really think its that simple? So if I set up a DNS server on my VPS and use it, Netflix will think I'm in the US?

No, they will know you're not in the US, but the DNS server will resolve IP's using the records Netflix provided to it (or provided to an upstream DNS server).

I actually normally use Verizon/Level3 Servers (4.2.2.2, 4.2.2.3) or OpenDNS (208.67.222.222) or Googles (8.8.8.8) all in the US, but these don't work. I have to use one of those paid servers to make it work.

That's because these DNS servers all use anycast. You're connecting to the DNS server that BGP routing tables have determined is the best, and most probably closest route to you, which is probably in your own country or nearby geographically.

I actually know quite a bit about DNS, VPN's, and Proxies, (I run my own DNS servers at work) etc but I'm still trying to figure out how these services work. Theres a reason people are paying for these DNS services, and I'd just like to do it myself. I dont think the only magic is that the servers are closer to netflix or hulu, theres something else.

Netflix or hulu can use your IP to determine your location. If they determine you are not in a country or region that they are licensed to broadcast to, they will not permit you to watch the videos (or possibly offer you different videos to watch).

As far as "tricking" Netflix, hulu, youtube, etc., by using remote DNS servers, you're only hurting yourself. Your ISP's DNS servers will provide the best records for you, as these records point to either peering or CDN's on or near your ISP's network. If you are trying to masquerade as being in another country, the only way to do that is with a VPN or proxy located in that country (or using a local VPN that has a POP in that country, or IP's allocated to that country).

 

[seepy83]

If you are trying to masquerade as being in another country, the only way to do that is with a VPN or proxy located in that country (or using a local VPN that has a POP in that country, or IP's allocated to that country).

Typically I would agree...but take a look around the tunlr website/forums (not sure about the other services that the OP mentioned....I just happened to look at tunlr). This thing works for a lot of people and the only requirement is to use tunlr's DNS servers. And my initial test showed that it doesn't look like their servers are returning the address for a Proxy instead of the real address for the streaming service (like Hulu) that you're requesting.

 

[dawks]

Typically I would agree...but take a look around the tunlr website/forums (not sure about the other services that the OP mentioned....I just happened to look at tunlr). This thing works for a lot of people and the only requirement is to use tunlr's DNS servers. And my initial test showed that it doesn't look like their servers are returning the address for a Proxy instead of the real address for the streaming service (like Hulu) that you're requesting.

Yea, this is actually big business. As I said, theres at least 3 paid companies, plus tunlr operating here. Its a real issue for us in Canada, Australia, Europe...

A guy whos running one of these servers said they just handle a part of the process where netflix or hulu ip-geo-locate, then pass you off directly to their servers. So theres no proxy or performance impact. And there can't really be a proxy since the streams and websites are HTTPS.

There doesnt have to be a proxy or VPN configured, I know because I can get US Netflix and hulu, just by changing my DNS server.

For those in the US, I believe you can try unblock-us to get access to some services in Europe. Try something like the BBC iPlayer. Or set up unblock-us then load netflix. I suspect you'll see completely different content, just by changing your DNS server (and choosing the location on the unblock-us website).

For an example of an annoyance, if I go to Netflix on my iPad (using Google DNS, so Canada's Netflix version) I get Seasons 1-5 of Trailer Park Boys. But if I load Netflix on my Apple TV (using tunlr DNS, US Netflix), I get Seasons 1-7 of Trailer Park Boys. The funny thing is, Trailer Park Boys is produced in Canada, and owned by Canadians.

 

[Lifted]

http://support.unblock-us.com/custo...5470-tunlr-user-looking-for-your-netflix-fix-

Tunlr User Looking For Your Netflix Fix?
Last Updated: Sep 11, 2013 12:45PM EDT

We’re sad to hear the news of Tunlr dropping support for Netflix. Supporting Netflix brings massive demand, in both data costs and support. Having the infrastructure to deal with both of these things is expensive, and for a free service just isn’t viable.

We’d like to extend our arms open wide and welcome any of you guys missing your fix over here. We support Netflix and a lot of other services too.

Feel free to give us a go, no strings attached for a week, and we hope you’re that happy with us that you’ll stay. We have easy video tutorials to follow – to make setting up your devices as easy as possible. When our customers need to ask for help, over 95% are happy with the technical support they received.

http://tunlr.net/status/

Primary DNS resolver status up
Secondary DNS resolver status up
Proxy server (United States) status up
Proxy server (United Kingdom) status up
Proxy server (Continental Europe) status up

See those Proxy servers mentioned there? All they were doing was providing you with their proxy server when you requested the IP for netflix.com. I'm actually pretty amazed they were able to supply that bandwidth as long as they did.

Edit: I suspected streaming Netflix was just way too much data to be proxying on a private network, and that these service are only proxing the initial geo-authorization and then passing you off to the content servers, although this should be easy to prevent from the CDN side. This appears to be the consensus on how these services are actually working. No doubt the content owners will catch wind of this if they haven't already, and will pressure the providers to implement better access restrictions as what they are doing now is pretty weak. There's no reason the CDN should be streaming to IP's which the authorization servers would deny access from.

 

[dawks]

Yup, its not using a proxy because the proxy causes performance issues, and of course the huge cost of bandwidth you mentioned. Also, as I said, the websites and streams are HTTPS, and proxies would break the SSL/TLS connections.

So the question is, how is this done?

 

[drebo]

Lifted explained how it's being done. With netflix, the initial handshake and likely the authorization isn't handled by the same server that releases the data (this is extremely common with CDNs and why you can view any photo on facebook's CDN without being logged in). So your DNS request points you to one of their servers which proxies the initial authorization request, but when you actually request the data from the CDN servers, you get the correct IP and not the proxy IP.

 

[Lifted]

the websites and streams are HTTPS, and proxies would break the SSL/TLS connections.

I'm not sure which proxies you've been using, or who is after you :ninja:, but this isn't true unless the proxy is attempting a rather obvious man-in-the-middle attack.

 

[kevnich2]

Yup, its not using a proxy because the proxy causes performance issues, and of course the huge cost of bandwidth you mentioned. Also, as I said, the websites and streams are HTTPS, and proxies would break the SSL/TLS connections.

So the question is, how is this done?

Lifted pretty much nailed it on this. They most certainly are using proxies. They're just having the client's change dns settings so it makes things easier to setup and less troubleshooting. Their DNS points traffic to their proxy servers for the actual data so the netflix servers are receiving the request from US based servers, hence why it works that way. But yes, they are using proxy's to relay packets between you and the servers you're actually trying to get.

DNS is simple yet effective, just make sure you trust whomever your using because as you can see, they can send your traffic anywhere they like, it just depends what they have in their zone records. This is also why the paid services for this work compared to the other free dns servers that simply resolve to the correct servers from the authoritative dns servers for their zones. The proxies they are using need to have alot of bandwidth to process things like this, which obviously costs a bit of $$