Monday, 9 June 2014

Media Players: Roku and Chromecast and unblock-us problems.

I just bought a Roku 3 and a Google Chromecast stick.

The Roku 3 is a set top box that plugs into your TV's HDMI port and sits on your network. Using a remote control, you can watch various streaming media services such as Netflix, BBC iPlayer and Youtube (and many many more).

The Chromecast stick is slightly different in that it works together with a smartphone or laptop and allows you to "cast" Netflix, Youtube and certain other enabled apps onto your TV.

Now, many people use unblock-us or a similar service to allow us to get access to Netflix's US catalogue rather than the pathetically limited UK catalogue.

unblock-us relies on you being able to chose their DNS servers for your media device so it can route requests for Netflix's catalogue via America and "fool" Netflix into thing you are in the States.

Let me clear - Netflix don't mind. You still pay them. The people who want to enforce this ridiculous state of affairs are the film studios who are stuck in the Pleistocene era of regional distribution.

Regions made sense back in the day when films were sent out on reels. A rell of positive film costs an arm and a leg to print and even the likes of Universal can only afford to make so many tens of thousands. So they were sent first to US cinemas. After they were done, the same reels were sent to the UK and other Region 2 countries. Then onto Region 3 countries and so on.

We're living in a digital age now - even cinemas are digital. Copies of media are very cheap (network bandwidth). So it really is an antiquated notion.

Now probably in an effort to placate the content providers, Roku or Netflix (it's a little unclear) and Chromecast (which is a Google device)  have chosen to hard code Google's public DNS servers ( and into their devices rather than respecting what my network's DHCP server tells it.

Precisely, Roku/Netflix use my DNS with as the secondary.

One option is to block and at your router (with either a firewall or static route that goes nowhere). I don't like this - and can see it causing problems as the device stutters and waits of a DNS server that will never reply.

Here's a solution for linux enthusiasts, which actually spoofs Google's IPs - so the Roku or Chromecast stick thinks it's talking to Google's DNS but it's actually being bounced to unblock-us's.

You do not need a linux router - but you do need a linux PC on the same LAN (subnet) as your Roku/Chromecast/etc that's always on (at least when you are watching stuff).

Setup (change your IPs to suit)

My Linux server is
My client IP (that I wish to spoof Google for) is
I will be using unblock-us's DNS server

Step 1 - Ensure can handle IP forwarding:
# echo 1 > /proc/sys/net/ipv4/ip_forward

Step 2 - Tell your DHCP server to serve as the gateway/default route to the Roku/Chromecast

Step 3 - On, load these netfilter rules:

iptables -t nat -N spoof_google_dns
iptables -t nat -A spoof_google_dns -d -p udp --dport 53 -j CONNMARK --set-xmark 0x2/0x2
iptables -t nat -A spoof_google_dns -d -p udp --dport 53 -j CONNMARK --set-xmark 0x2/0x2
iptables -t nat -A spoof_google_dns -m connmark --mark 0x2/0x2 -j DNAT --to-destination
iptables -t nat -A POSTROUTING -m connmark --mark 0x2/0x2 -j SNAT --to-source
iptables -t nat -A PREROUTING -s -j spoof_google_dns

Add as many copies of the LAST LINE as you need, changing to your Roku/Chromecast client IPs

If you just want to cover the whole network (eg because you don't use static IPs), replace the last line with

iptables -t nat -A PREROUTING -j spoof_google_dns

Add your laptop IP to the rules temporarily and test with

dig @

to test before and after loading the rules. The difference should be obvious.

I like this solution because:

1) It does not "break" the Google IP - it actually spoofs it;

2) It's reasonably clean as far as horrid hacks go;

3) It *only* affects DNS queries to and for specific clients so it does not bend your whole network out of shape.

4) It does not require full scale network restructuring;

5) You could probably pull the same stunt with *BSD or Windows but I have not idea how!


  1. In addition to this, do you still need to use unblock-us or similar configured as your DNS on your DHCP-server, or is this everything needed for Roku?

    1. Yes - you do need unblock-us or similar :)

  2. Great article. The DNS option is better than using a VPN regarding content streaming because you can achieve direct connection with the media station ex. Netflix and avoid the “middle-man”. Personally, I am using UnoTelly which is similar to Unblock-us. Perhaps you should check UnoTelly as well if you haven’t done so.

  3. Thx for this settings it's help me a lot.
    I have same thing but newest model, now it's a little bit different, but it was useful.

    Best regards
    Toby, ideals