Skip to main content

Unblock Us Security

Unblock Us is an interesting solution to viewing region locked content online. Instead of offering VPN services, they offer a DNS-based solution. By using their DNS servers, geolocation requests by services such as Hulu and Pandora are directed through a geographically appropriate proxy. The remainder of your traffic (e.g. the video or audio stream) is accessed directly. That means you can make use of your connection's full bandwidth. Conversely, VPN connections often decrease your connection speed significantly.

However, the DNS solution has security implications. As a DNS provider, Unblock Us is the in perfect position to perform a man in the middle attack. After all, that's what they're doing to sites like Hulu. (Note that SSL connections are safe from man in the middle attacks.)

If you trust Unblock Us, then this isn't a problem. If you don't, it's best to limit the traffic that uses their DNS servers. The remainder of your traffic should use a trusted DNS provider instead (e.g. Google's public DNS servers).

One way to accomplish this is to set up a local DNS server and configure it to forward requests appropriately. On Ubuntu, this is relatively straight forward:

sudo apt-get install bind9
sudo vim /etc/bind/named.conf.options /etc/bind/named.conf.local
Change /etc/bind/named.conf.options to use some default DNS servers (e.g. Google DNS) and to only listen on loopback interfaces:
forwarders {
  8.8.8.8;
  8.8.4.4;
};

listen-on-v6 { ::1; };
listen-on { 127.0.0.1; };
Then change /etc/bind/named.conf.local to use the Unblock Us DNS servers for the zones you're interested in.
zone "hulu.com" {
  type forward;
  forwarders {
    208.122.23.22;
    208.122.23.23;
  };
};
Finally, sudo /etc/init.d/bind restart and change your connection settings (e.g. via Network Manager) to use 127.0.0.1 as your DNS server.

Assuming you've set up your Unblock Us account, accessing hulu.com should now use the Unblock Us DNS server and direct you through their proxy. Accessing anything else should use Google's public DNS servers.

This post was inspired by Jonathan Tullett's post.

Comments

  1. Hello Damon,
    I have been using unblock-us for a long time now but recently Netflix has stopped working with them and their Customer Support is getting awful (maybe due to lots of mails due to this problems !). Will have to search for an alternative very soon

    ReplyDelete
  2. Maybe Netflix started doing geolocation over SSL :)

    ReplyDelete
  3. Thanks for the initial motivation Damon ;-) I need to add a zone for unblock-us, too.

    And wrote an article on the setup for Mac Os: http://amazing-development.com/archives/2012/03/07/unblock-us-for-mac-os/

    ReplyDelete
  4. I tried unblock and unotelly. Both works well but I think unotelly offers more channels comparatively. Is there any advantage above that to use unblock-US.

    Please reply.

    ReplyDelete
  5. Good stuff, that's exactly what I was looking for, thanks a lot :) Did you also try it with the BBC iPlayer? The following does not work :(

    zone "bbc.co.uk" {
    type forward;
    forwarders {
    208.122.23.22;
    208.122.23.23;
    };
    };

    ReplyDelete
  6. Figured it out. For those to follow, it's:

    zone "bbc.co.uk" {
    type forward;
    forwarders {
    208.122.23.22;
    208.122.23.23;
    };
    };

    zone "llnwd.net" {
    type forward;
    forwarders {
    208.122.23.22;
    208.122.23.23;
    };
    };

    ReplyDelete
  7. Have only just seen this.

    Thank you for the hat-tip (jkt.im is mine) :)

    I'm happy with using unblock-us.com for all DNS; as happy as I am using Google, anyway ;)

    One thing you need to consider is that Netflix and Boxee (both need to be enabled for the geo-IP locking content) use a bunch of domains outside of their base ones. Netflix was, at one point, using Akami for their distribution, then Amazon S3, updating bind to manage all of those was a PITA (and required setting up proxies to find out exactly where was being hit).

    In the end, I just switched over to unblock-us...they have my credit card number, they know where I live, how much worse can it get? :)

    ReplyDelete
  8. A was an unblockus customer for more than 6 months. I recently changed to Unotelly because they support more channels and they have great customer support. I'm satisfied with their service.

    ReplyDelete

Post a Comment

Popular posts from this blog

XBee ZNet 2.5 Wireless Accelerometer

I managed to put together a wireless accelerometer the other night using my two new XBees, an Arduino XBee shield, an XBee Explorer USB, an ADXL330, and some Python. I struggled a bit with some of it, so here's what I learned:

First, a parts list.
XBee 2mW Series 2.5 Chip AntennaArduino XBee (with XBee Series 2.5 module)XBee Explorer USBADXL330I'm not sure exactly what the specs are on the XBee that comes with the Arduino shield. But, it is definitely a series 2.5.

The first thing to do is to configure and upgrade the firmware on your XBees. To do that, you'll need X-CTU (for the firmware upgrade at least, but it's also nice for configuration) which, unfortunately, is only available for Windows. But, it works fine from VMware. First up, the XBee we'll hook up to the computer to read incoming data from the accelerometer:
Plug one of the XBees into the Explorer (it's also possible to do this from the Arduino shield by shifting the two XBee/USB jumpers to USB and remo…
Read more

Android Recipes and Snippets

I've put together a small collection of Android recipes. For each of these recipes, this is an instance of Context (more specifically, Activity or Service) unless otherwise noted. Enjoy :)

Intents
One of the coolest things about Android is Intents. The two most common uses of Intents are starting an Activity (open an email, contact, etc.) and starting an Activity for a result (scan a barcode, take a picture to attach to an email, etc.). Intents are specified primarily using action strings and URIs. Here are some things you can do with the android.intent.action.VIEW action and startActivity().Intent intent = new Intent(Intent.ACTION_VIEW);
// Choose a value for uri from the following.
// Search Google Maps: geo:0,0?q=query
// Show contacts: content://contacts/people
// Show a URL: http://www.google.com
intent.setData(Uri.parse(uri));
intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
startActivity(intent);Other useful action/URI pairs include:Intent.ACTION_DIAL, tel://8675309Intent.ACTION_CALL…
Read more

Email Injection

Not so long ago, I ran a wiki called SecurePHP. On that wiki, there was one particular article about email injection that received a lot of attention. Naturally, with all the attention came lots of spam. As a result, I disabled editing of the wiki and content stagnated. Still, the email injection article remained popular. About a year later, the server that hosted SecurePHP died and I never had a chance to hook it all back up. I saved the article though and I'm reposting it now. It may be a bit old (I've been away from PHP for a long time), and I didn't write all of it, so feel free to leave comments about needed updates and corrections. Though this article focuses on PHP, it provides a lot of general information regarding email injection attacks.

The PHP mail() FunctionThere are a lot of ways to send anonymous emails, some use it to mass mail, some use it to spoof identity, and some (a few) use it to send email anonymously. Usually a web mailform using the mail() function …
Read more