The Roku 3 is a set top box that plugs into your TV's HDMI port and sits on your network. Using a remote control, you can watch various streaming media services such as Netflix, BBC iPlayer and Youtube (and many many more).
The Chromecast stick is slightly different in that it works together with a smartphone or laptop and allows you to "cast" Netflix, Youtube and certain other enabled apps onto your TV.
Now, many people use unblock-us or a similar service to allow us to get access to Netflix's US catalogue rather than the pathetically limited UK catalogue.
unblock-us relies on you being able to chose their DNS servers for your media device so it can route requests for Netflix's catalogue via America and "fool" Netflix into thing you are in the States.
Let me clear - Netflix don't mind. You still pay them. The people who want to enforce this ridiculous state of affairs are the film studios who are stuck in the Pleistocene era of regional distribution.
Regions made sense back in the day when films were sent out on reels. A rell of positive film costs an arm and a leg to print and even the likes of Universal can only afford to make so many tens of thousands. So they were sent first to US cinemas. After they were done, the same reels were sent to the UK and other Region 2 countries. Then onto Region 3 countries and so on.
We're living in a digital age now - even cinemas are digital. Copies of media are very cheap (network bandwidth). So it really is an antiquated notion.
Now probably in an effort to placate the content providers, Roku or Netflix (it's a little unclear) and Chromecast (which is a Google device) have chosen to hard code Google's public DNS servers (184.108.40.206 and 220.127.116.11) into their devices rather than respecting what my network's DHCP server tells it.
Precisely, Roku/Netflix use my DNS with 18.104.22.168 as the secondary.
One option is to block 22.214.171.124 and 126.96.36.199 at your router (with either a firewall or static route that goes nowhere). I don't like this - and can see it causing problems as the device stutters and waits of a DNS server that will never reply.
Here's a solution for linux enthusiasts, which actually spoofs Google's IPs - so the Roku or Chromecast stick thinks it's talking to Google's DNS but it's actually being bounced to unblock-us's.
You do not need a linux router - but you do need a linux PC on the same LAN (subnet) as your Roku/Chromecast/etc that's always on (at least when you are watching stuff).
Setup (change your IPs to suit)
My Linux server is 10.0.0.14
My client IP (that I wish to spoof Google for) is 10.0.0.55
I will be using unblock-us's DNS server 188.8.131.52
Step 1 - Ensure 10.0.0.14 can handle IP forwarding:
# echo 1 > /proc/sys/net/ipv4/ip_forward
Step 2 - Tell your DHCP server to serve 10.0.0.14 as the gateway/default route to the Roku/Chromecast
Step 3 - On 10.0.0.14, load these netfilter rules:
iptables -t nat -N spoof_google_dns
iptables -t nat -A spoof_google_dns -d 184.108.40.206/32 -p udp --dport 53 -j CONNMARK --set-xmark 0x2/0x2
iptables -t nat -A spoof_google_dns -d 220.127.116.11/32 -p udp --dport 53 -j CONNMARK --set-xmark 0x2/0x2
iptables -t nat -A spoof_google_dns -m connmark --mark 0x2/0x2 -j DNAT --to-destination 18.104.22.168
iptables -t nat -A POSTROUTING -m connmark --mark 0x2/0x2 -j SNAT --to-source 10.0.0.14
iptables -t nat -A PREROUTING -s 10.0.0.55 -j spoof_google_dns
Add as many copies of the LAST LINE as you need, changing 10.0.0.55 to your Roku/Chromecast client IPs
If you just want to cover the whole network (eg because you don't use static IPs), replace the last line with
iptables -t nat -A PREROUTING -j spoof_google_dns
Add your laptop IP to the rules temporarily and test with
dig @22.214.171.124 movies.netflix.com
to test before and after loading the rules. The difference should be obvious.
I like this solution because:
1) It does not "break" the Google IP - it actually spoofs it;
2) It's reasonably clean as far as horrid hacks go;
3) It *only* affects DNS queries to 126.96.36.199 and 188.8.131.52 for specific clients so it does not bend your whole network out of shape.
4) It does not require full scale network restructuring;
5) You could probably pull the same stunt with *BSD or Windows but I have not idea how!