利用开源 SNI PROXY+DNSMASQ 工具链实战 Netflix 流媒体解锁

本文采用 SNI PROXY 开源工具为 “liulilittle/sniproxy: Enhanced sni-proxy supports "HTTP, HTTP-SSL" and reverse proxy, and can be used to unlock streaming media resources of "Netflix, Disney+, TVB and TikTok". (github.com)”，它支持 “HTTP、HTTP SSL”、反向代理。

准备工作：

1、寻找一台已经解锁 Netflix 流媒体的公共互联网IP服务器，甲骨文韩国首尔，或许会是一个不错的选项。

2、服务器操作系统部署为 Ubuntu 16/18/20/22，可以为 “CentOS 7”、“Debian 9/10”。

3、从 Github 上面下载已编译的，SNI PROXY目标平台二进制程序，目前有以下列举的平台编译二进制程序。

     3.1、sniproxy-win-x86.zip

     3.2、sniproxy-win-x86_64.zip

     3.3、sniproxy-linux-x86_64.zip 

     3.4、sniproxy-linux-aarch64.zip 

 不相信编译的二进制程序安全性，那你可以自行配置编译环境编译程序，具体参考：CMakeLists.txt 上配置的库依赖，VS 2022编译，库依赖，可以由 vcpkg 管理部署。

4、配置解压缩 sniproxy 以后的 appsettings.json BSON格式配置文件

配置选项（注解：）

concurrent，最大并发数量，缺省：<= 0 则为设备CPU核心数

backlog， 连接请求队列

fast-open，TFO连接快速打开

turbo.lan，加速本地方向

turbo.wan，加速远程方向

listen.http，服务器监听的HTTP前置代理（同时支持IPV6/IPV4）

listen.http-ssl，服务器监听的HTTPS前置代理（同时支持IPV6/IPV4）

reverse-proxy.host，反向代理服务器域名（遇到请求该域名资源则反向代理转发）

reverse-proxy.http，反向代理转发的HTTP服务器（用户访问HTTP时）

reverse-proxy.http-ssl，反向代理转发的HTTPS服务器（用户访问HTTPS时）

connect.timeout，连接超时时间

5、安装 DNSMASQ 本地DNS查询服务器

sudo apt-get install dnsmasq -y

6、修改 DNSMASQ 全局配置

nano /etc/dnsmasq.conf

配置内容为：

domain-needed
bogus-priv
no-resolv
no-poll
all-servers
server=8.8.8.8
server=1.1.1.1
server=208.67.222.222
server=4.2.2.1
cache-size=2048
local-ttl=60
interface=*
conf-dir=/etc/dnsmasq.d/,smu.conf
resolv-file=/etc/resolv.dnsmasq.conf

7、配置上游DNS服务器

 nano /etc/resolv.dnsmasq.conf

配置内容为：

nameserver 8.8.8.8 
nameserver 1.1.1.1 
nameserver 208.67.222.222 
nameserver 4.2.2.1 

8、配置流媒体解锁DNS清单，设解锁流媒体的服务器IP为：“152.70.252.14（甲骨文韩国首尔）”

nano /etc/dnsmasq.d/smu.conf
配置内容为：

address=/akadns.net/152.70.252.14
address=/akam.net/152.70.252.14
address=/akamai.com/152.70.252.14
address=/akamai.net/152.70.252.14
address=/akamaiedge.net/152.70.252.14
address=/akamaihd.net/152.70.252.14
address=/akamaistream.net/152.70.252.14
address=/akamaitech.net/152.70.252.14
address=/akamaitechnologies.com/152.70.252.14
address=/akamaitechnologies.fr/152.70.252.14
address=/akamaized.net/152.70.252.14
address=/edgekey.net/152.70.252.14
address=/edgesuite.net/152.70.252.14
address=/srip.net/152.70.252.14
address=/footprint.net/152.70.252.14
address=/level3.net/152.70.252.14
address=/llnwd.net/152.70.252.14
address=/edgecastcdn.net/152.70.252.14
address=/cloudfront.net/152.70.252.14
address=/netflix.com/152.70.252.14
address=/netflix.net/152.70.252.14
address=/nflximg.com/152.70.252.14
address=/nflximg.net/152.70.252.14
address=/nflxvideo.net/152.70.252.14
address=/nflxso.net/152.70.252.14
address=/nflxext.com/152.70.252.14
address=/hulu.com/152.70.252.14
address=/huluim.com/152.70.252.14
address=/hbonow.com/152.70.252.14
address=/hbogo.com/152.70.252.14
address=/hbo.com/152.70.252.14
address=/amazon.com/152.70.252.14
address=/amazon.co.uk/152.70.252.14
address=/amazonvideo.com/152.70.252.14
address=/crackle.com/152.70.252.14
address=/pandora.com/152.70.252.14
address=/vudu.com/152.70.252.14
address=/blinkbox.com/152.70.252.14
address=/abc.com/152.70.252.14
address=/fox.com/152.70.252.14
address=/theplatform.com/152.70.252.14
address=/nbc.com/152.70.252.14
address=/nbcuni.com/152.70.252.14
address=/ip2location.com/152.70.252.14
address=/pbs.org/152.70.252.14
address=/warnerbros.com/152.70.252.14
address=/southpark.cc.com/152.70.252.14
address=/cbs.com/152.70.252.14
address=/brightcove.com/152.70.252.14
address=/cwtv.com/152.70.252.14
address=/spike.com/152.70.252.14
address=/go.com/152.70.252.14
address=/mtv.com/152.70.252.14
address=/mtvnservices.com/152.70.252.14
address=/playstation.net/152.70.252.14
address=/uplynk.com/152.70.252.14
address=/maxmind.com/152.70.252.14
address=/disney.com/152.70.252.14
address=/disneyjunior.com/152.70.252.14
address=/adobedtm.com/152.70.252.14
address=/bam.nr-data.net/152.70.252.14
address=/bamgrid.com/152.70.252.14
address=/braze.com/152.70.252.14
address=/cdn.optimizely.com/152.70.252.14
address=/cdn.registerdisney.go.com/152.70.252.14
address=/cws.conviva.com/152.70.252.14
address=/d9.flashtalking.com/152.70.252.14
address=/disney-plus.net/152.70.252.14
address=/disney-portal.my.onetrust.com/152.70.252.14
address=/disney.demdex.net/152.70.252.14
address=/disney.my.sentry.io/152.70.252.14
address=/disneyplus.bn5x.net/152.70.252.14
address=/disneyplus.com/152.70.252.14
address=/disneyplus.com.ssl.sc.omtrdc.net/152.70.252.14
address=/disneystreaming.com/152.70.252.14
address=/dssott.com/152.70.252.14
address=/execute-api.us-east-1.amazonaws.com/152.70.252.14
address=/js-agent.newrelic.com/152.70.252.14
address=/xboxlive.com/152.70.252.14
address=/lovefilm.com/152.70.252.14
address=/turner.com/152.70.252.14
address=/amctv.com/152.70.252.14
address=/sho.com/152.70.252.14
address=/mog.com/152.70.252.14
address=/wdtvlive.com/152.70.252.14
address=/beinsportsconnect.tv/152.70.252.14
address=/beinsportsconnect.net/152.70.252.14
address=/fig.bbc.co.uk/152.70.252.14
address=/open.live.bbc.co.uk/152.70.252.14
address=/sa.bbc.co.uk/152.70.252.14
address=/www.bbc.co.uk/152.70.252.14
address=/crunchyroll.com/152.70.252.14
address=/ifconfig.co/152.70.252.14
address=/omtrdc.net/152.70.252.14
address=/sling.com/152.70.252.14
address=/movetv.com/152.70.252.14
address=/happyon.jp/152.70.252.14
address=/abema.tv/152.70.252.14
address=/hulu.jp/152.70.252.14
address=/optus.com.au/152.70.252.14
address=/optusnet.com.au/152.70.252.14
address=/gamer.com.tw/152.70.252.14
address=/bahamut.com.tw/152.70.252.14
address=/hinet.net/152.70.252.14
 

9、查看监听UDP:53端口的进程及进程PID

lsof -Pnl +M -i4 | grep 53
lsof -Pnl +M -i6 | grep 53
 

10、进程不是DNSMASQ在监听UDP:53端口则：

kill -9 $PID && systemctl restart dnsmasq  或 kill -9 $PID && service dnsmasq restart

进程是DNSMASQ在监听UDP:53端口则：

systemctl restart dnsmasq 或 service dnsmasq restart

补充：systemctl restart NetworkManager.service （CentOS 8 系统用该方法）

11、检查DNSMASQ状态是否重启成功？

service dnsmasq status 或 systemctl status dnsmasq

12、测试服务器本地环路上的DNSMASQ配置的 Netflix 解锁的DNS查询是否正确？

# nslookup netflix.com 127.0.0.1 

Server:        127.0.0.53
Address:    127.0.0.53#53

Name:    netflix.com
Address: 152.70.252.14
Name:    netflix.com
Address: 2600:1f14:62a:de81:b848:82ee:2416:447e
Name:    netflix.com
Address: 2600:1f14:62a:de80:69a8:7b12:8e5f:855d
Name:    netflix.com
Address: 2600:1f14:62a:de82:822d:a423:9e4c:da8d

13、配置本地服务器的 nano /etc/resolv.conf，其它机器或设备DNS服务器配置为本机公共IP地址且本机服务器上面开放UDP:53端口的公共网络访问权限（防火墙）

nameserver 127.0.0.53 # 或:: nameserver 127.0.0.1

14、上述环境均配置正确以后可以使用以下的URL进行测试，查看 Netflix 流媒体的资源是否在用户端被解锁。

解锁检查URL：Breaking Bad | 넷플릭스 (netflix.com) 

如果显示类似上面的界面，恭喜你，大功告成，你已成功的，解锁了 Netflix 流媒体的访问权限！ 如果没有这个界面，则按照上述步骤自行检查故障，出现在哪里，直到被解决！