rampageX · March 15, 2020 10:06 · Nov 9, 2019 · Jan 3, 2019 · Dec 30, 2018 · Dec 29, 2018
diff --git a/Workarounds for Netflix and the blocking of IPv6 tunnels.md b/Workarounds for Netflix and the blocking of IPv6 tunnels.md
@@ -11,19 +11,19 @@ Netflix now treats IPv6 tunnel brokers (such as Hurricane Electric) as proxy ser
 
 Netflix has a help article on the matter: https://help.netflix.com/en/node/277
 
-In the early days it didn't mention anything about IPv6, but now pretty much spells out if you use a tunnel service for IPv6 you are SOL and won't get any support from Netflix about it, but there is a potential workaround. In order to maintain keeping your IPv6 tunnel active while browsing Netflix you need to basically prevent any traffic to Netflix going over v6 and fallback to v4, which will likely be using your normal WAN connection from a ISP or provider which Netflix won't treat as a proxy/VPN.
+In the early days this article didn't mention anything about IPv6, but now it pretty much spells out if you use a tunnel service for IPv6 you are on your own and won't get any support from Netflix about it, but there is a potential workaround. In order to maintain keeping your IPv6 tunnel active while browsing Netflix you need to basically prevent any traffic to Netflix going over IPv6 and fallback to IPv4, which will likely be using your normal WAN connection from a ISP or provider which Netflix won't treat as a proxy/VPN.
 
-To implement such a workaround you'll need to have a DNS setup that you can control. You'll need to have the ability to implement one of the following workarounds:
+To implement such a workaround you'll need to have a DNS setup that you can fully control. You'll need to have the ability to implement one of the following implementations:
 
-1. Return a null response on AAAA lookups for certain domains
-2. Conditionally forward certain domain lookups to another DNS resolver that strips AAAA records from lookup responses entirely.
-3. Block or sink hole Netflix IPv6 ranges (not recommended, explained in more detail later on)
+1. Return a null response on AAAA lookups for certain Netflix domains.
+2. Conditionally forward certain Netflix domain lookups to another DNS resolver that strips AAAA records from lookup responses entirely.
+3. Block or sink hole Netflix IPv6 ranges (not recommended, explained in more detail later on).
 
-This gist focuses on using `dnsmasq` (commonly found in embedded products i.e. routers) but the theory can be applied to other services like unbound, bind etc.
+This gist focuses on using `dnsmasq` (commonly found in embedded products i.e. routers) but the overall concept of modifying AAAA lookup responses can be applied to other services like unbound, bind etc.
 
 ## Netflix domains that need be specially handled
 
-These are the key Netflix domains that need to be handled to prevent IPv6 being used.
+These are the key Netflix domains that need to be handled to prevent IPv6 being used and avoiding a 6in4 tunnel or similar.
 
 * netflix.com
 * netflix.net
@@ -54,7 +54,7 @@ server=/nflxso.net/#
 address=/nflxso.net/::
 ```
 
-If you are already running dnsmasq, this is the most simpliest method, without having to worry about additional configurations or services. After this configuration is applied a DNS lookup for a domain in this list would now return `::`, which is the NULL response. This would prevent `netflix.com` requests going over v6 and fallback to v4.
+If you are already running dnsmasq, this is the most simpliest method, without having to worry about additional configurations or services. After this configuration is applied a DNS lookup for a domain in this list would now return `::`, which is the NULL response. This would prevent `netflix.com` requests going over IPv6 and fallback to IPv4.
 
 ```
 ; <<>> DiG 9.10.3-P4-Raspbian <<>> AAAA netflix.com @127.0.0.1
@@ -96,7 +96,7 @@ server=/nflxso.net/127.0.0.1#2053
 
 #### Creating a BIND DNS resolver that removes AAAA records from lookups
 
-I chose bind as it has a specific parameter `filter-aaaa-on-v4`. The example below is a very minimal configuration for bind. Its one purpose is basically to strip AAAA records from DNS lookups. It has the advantage of being domain agnostic, meaning it will strip any AAAA records from any domain passed to it. This is useful if other services other than Netflix start blocking IPv6 tunnels in a similar fashion.
+I chose bind as it has a specific parameter `filter-aaaa-on-v4`. The example below is a very minimal configuration for bind. Its one purpose is basically to strip AAAA records from DNS lookups. It has the advantage of being domain agnostic, meaning it will strip any AAAA records from any domain passed to it. This is useful if other services other than Netflix start blocking IPv6 tunnels in a similar fashion or simply want to force IPv4 for other services for whatever reason.
 
 ```
 options {
@@ -118,7 +118,7 @@ options {
 };
 ```
 
-You can use any forwarders you like, the example below uses OpenDNS. If you are running this on an external IP address, you should be careful and make sure you only allow recursion on specific requests and ACL accordingly. Not doing so will make you an open DNS resolver, it won't take long for someone to start abusing your server and generating a high rate of traffic.
+You can use any forwarders you like, the example below uses OpenDNS. If you are running this on an external facing IP address, you should be careful and make sure you only allow recursion on specific requests and ACL accordingly. Not doing so will make you an open DNS resolver, it won't take long for someone to start abusing your server and generating a high rate of traffic.
 
 The `--enable-filter-aaaa` option must be enabled at compile time in order for this config to work, see this page for more information:
 
@@ -190,7 +190,7 @@ dig @127.0.0.1 netflix.com AAAA
 ;; MSG SIZE  rcvd: 40
 ```
 
-If you get no AAAA records returned on your DNS resolver with Netflix queries, your in business. Future Netflix connections should now only use IPv4. If you don't get the expected output this can be due to DNS caching and depending on your setup you might have to wait a bit of time for the correct DNS lookup information to be returned. Alternatively, you may wish to reboot your router or device supplying DNS to ensure DNS caches are cleared. If you have a DNS chain, you'll need to ensure all DNS resolvers in the chain are not caching.
+If you get no AAAA records returned on your DNS resolver with Netflix queries, you're in business. Future Netflix connections should now only use IPv4. If you don't get the expected output this can be due to DNS caching and depending on your setup you might have to wait a bit of time for the correct DNS lookup information to be returned. You can flush the DNS cache of dnsmasq and/or on your local device. Alternatively, you may wish to reboot your router or device supplying DNS to ensure DNS caches are cleared. If you have a DNS chain, you'll need to ensure all DNS resolvers in the chain are not caching.
 
 If you get issues like timeouts, check to make sure the DNS server is actually running and your firewall is permitting the DNS traffic, especially if using a non-standard port for DNS traffic.
 
@@ -222,7 +222,7 @@ iptables -I FORWARD --destination 8.8.8.8 -j REJECT
 iptables -I FORWARD --destination 8.8.4.4 -j REJECT
 ```
 
-In addition, some Google devices may also make v6 DNS lookup requests to Google's public DNS servers, you may have to also block this traffic as well:
+In addition, some Google devices may also make DNS lookup requests over v6 to Google's public DNS servers, you may have to also block this traffic as well:
 
 ```
 ip6tables -I FORWARD --destination 2001:4860:4860::8844 -j REJECT
@@ -249,7 +249,7 @@ This method essentially allows DNS requests to `8.8.8.8` or `8.8.4.4`, but the r
 
 DNS traffic is typically UDP based, but there are circumstances where TCP is used as well, however, it is unlikely any Google DNS request will be using TCP, hence why the rules above only target UDP and should be fine for this purpose.
 
-To implement this, you'll need to have a full access to your router.
+To implement this, you'll need to have a full root access to your router.
 
 **Enjoy your Netflix again!**
 
@@ -261,7 +261,7 @@ In case you have any questions about the purpose/reasons for this workaround, he
 
 A. Once your ISP provides a native IPv6 subnet to you, you can disable your IPv6 tunnel and use the IPv6 subnet delegated to you by your ISP (likely a /56 or something similar).
 
-To clarify, Netflix is only blocking IPv6 tunnels because it cannot fully confirm your exact country of origin and sees any usage of a IPv6 tunnel as a way of circumventing geo-restrcitions on content that is licensed to specific countries, despite this being the intention or not. In the case of Hurricane Electric, while it operates tunnels in loads of different countries, the IPv6 address space they have registered ultimately identifies as US to a lot of geo based systems concerning IPv6. This problem however is now redundant as Netflix has now straight blocked the IPv6 ranges of various IPv6 tunnel services altogether.
+To clarify, Netflix is only blocking IPv6 tunnels because it cannot accurately confirm your exact country of origin and sees any usage of a IPv6 tunnel as a way of circumventing geo-restrcitions on content that is licensed to specific countries, despite this being the intention or not. In the case of Hurricane Electric, while it operates tunnels in loads of different countries, the IPv6 address space they have registered ultimately identifies as US to a lot of geo based systems concerning IPv6. This problem however is now redundant as Netflix has now straight blocked the IPv6 ranges of various IPv6 tunnel services altogether.
 
 **Q. I use a VPN and I get the same error message, will this workaround work for this?**
 
@@ -273,7 +273,7 @@ A. They shouldn't do. When you use your ISPs connection, the IP address you conn
 
 **Q. How does this workaround work?**
 
-A. In short, the workaround forces Netflix to use IPv4 for any requests when streaming. While you might think "why can't I just to make things use IPv4 first?" in reality, this is both against the general behaviour of IPv6 first (happy eyeballs) and difficult to actually enforce. Especially if you need to do this across different devices. Hence doing it at the router/DNS level allows you to control the variables. It does require a bit of technical knowledge and control over your network however and might not be for everyone admittedly.
+A. In short, the workaround forces Netflix to use IPv4 for any requests when streaming. While you might think "why can't I just to make things use IPv4 first?" in reality, this is both against the general behaviour of IPv6 first (happy eyeballs) and difficult to actually enforce. Especially if you need to do this across different devices. Hence doing it at the router/DNS level allows you to control all variables required. This does require a bit of technical knowledge and control over your network however and might not be for everyone admittedly.
 
 **Fun fact:** Netflix has supported IPv6 for many years. IPv6 itself isn't the issue and something which we should be encouraging adoption of. The problem is for more tech savvy users that don't have native IPv6 from their ISP have opted to use a tunnel service for it instead. Since June 2016, Netflix shut off streaming access to its service for IPv6 tunnels services and this has what's caused the problem. Netflix's easy solution to this is to "disable" or stop using a IPv6 tunnel. However this isn't practical for many people and negates the reason having one in the first place.
 
@@ -291,8 +291,6 @@ A. Probably not, they were likely pressured into it in the first place by media
 
 Its also worth noting that IPv6 tunnel services are intended as transitional mechanisms and shouldn't be a permanent solution for IPv6. Hassle your ISP to sort out their IPv6 (or lack of!). While you wait you can also read the hilarious IPv6 excuses Twitter account for some nerdy IPv6 banter: https://twitter.com/ipv6excuses?lang=en.
 
-Also as a customer of Virgin Media in the United Kingdom. WHY NO IPV6?!
-
 **Q. Do any proxy/VPN services still work with Netflix?**
 
 A. There are likely some services that might still work, but they are likely operating on borrowed time, as Netflix will be monitoring and updating their blocklists regularly. Most of the well known proxy/VPN services are blocked.

diff --git a/Workarounds for Netflix and the blocking of IPv6 tunnels.md b/Workarounds for Netflix and the blocking of IPv6 tunnels.md
@@ -7,7 +7,7 @@ Since I wrote this, various GitHub users have contributed their thoughts and ide
 
 ## The problem
 
-Netflix now treats IPv6 tunnel brokers (such as Hurricane Electric) as proxy servers. A while ago it became apparent to users and Netflix that somewhat by accident, IPv6 tunnel users were being served content outside of their geolocation because of the way Netflix was identifying the tunnel services and their geographical origin. The problem was further compounded by certain opportunstic indiviuals deciding to create a business model out of providing the Netflix US (and others) content library via networks like Hurricane Electric and ruined it for everyone. Netflix and friends got all stressy about it and now all IPv6 tunnel users are considered to be naughty proxy pirates. Also because big media is stuck in the 1990s, they think this block is actually effective, when in fact it just inconveniences most legitimate users, that simply want IPv6 connectivity, beacause their ISP is stuck in 1995.
+Netflix now treats IPv6 tunnel brokers (such as Hurricane Electric) as proxy servers. A while ago it became apparent to users and Netflix that somewhat by accident, IPv6 tunnel users were being served content outside of their geolocation because of the way Netflix was identifying the tunnel services and their geographical origin. The problem was further compounded by certain opportunstic indiviuals deciding to create a business model out of providing the Netflix US (and others) content library via networks like Hurricane Electric and ruined it for everyone. Netflix and friends got all stressy about it and now all IPv6 tunnel users are considered to be naughty proxy pirates. Also because big media is stuck in the 1990s, they think this block is actually effective, when in fact it just inconveniences most legitimate users, that simply want IPv6 connectivity, because their ISP is stuck in 1995.
 
 Netflix has a help article on the matter: https://help.netflix.com/en/node/277
 

diff --git a/Workarounds for Netflix and the blocking of IPv6 tunnels.md b/Workarounds for Netflix and the blocking of IPv6 tunnels.md
@@ -126,7 +126,7 @@ https://kb.isc.org/article/AA-00576/0/Filter-AAAA-option-in-BIND-9-.html
 
 Where this resolver runs is entirely up to you. If you are running something like OpenWRT or DD-WRT you could run bind on a non-standard port like the example to avoid a port collision with an existing DNS setup i.e. `dnsmasq`.
 
-#### Confirming AAAA records are removed from DNS lookups
+### Confirming AAAA records are removed from DNS lookups
 
 Once everything is setup, you can query any of the following Netflix domains listed above against a public DNS resolver and compare the output to a query made to the additional DNS resolver you've setup.
 
@@ -196,7 +196,7 @@ If you get issues like timeouts, check to make sure the DNS server is actually r
 
 ### Method 3: Blocking Netflix IPv6 ranges (not recommended)
 
-While this method can work, the problem with it is that it is static and not as future proof as DNS related options. The problem is Netflix uses various content delivery networks and obtaining the ranges for them all is difficult. Netflix can also add new IPv6 ranges at anytime. While all of the workaround options can be "broken" by Netflix changing something, in my opinion domain based rules are cleaner than IPv6 ranges. Be mindful that blocking IPv6 ranges may required you to block non-Netflix networks like content delivery networks, which could have side effects for non-related services.
+While this method can work, the problem with it is that it is static and not as future proof as DNS related options. The problem is Netflix uses various content delivery networks and obtaining the ranges for them all is difficult. Netflix can also add new IPv6 ranges at anytime. While all of the workaround options can be "broken" by Netflix changing something, in my opinion domain based rules are cleaner than IPv6 ranges. Be mindful that blocking IPv6 ranges may require you to block non-Netflix networks like content delivery networks, which could have side effects for non-related services.
 
 If however you wish to null route or block IPv6 ranges, this can be achieved like so with `ip6tables`:
 
@@ -213,7 +213,7 @@ You may have to implement further changes if you experience problems with Google
 
 ### Streaming issues with Google Chromecast/Android devices
 
-Devices like Google Chromecast don't allow direct control of the DNS servers used and always try to use Google's Public DNS resolvers of `8.8.8.8` and `8.8.4.4`, these of course will return AAAA records and cause issues when streaming Netflix (even if you have implemented this workaround on the network the stream activity is running on). You can however leverage a fallback option built into Chromecast devices (and possibly other Google devices), where by if you block access to the Google Public DNS resolvers, it forces the Chromecast device to use the DHCP supplied DNS information and hence the DNS workaround will work.
+Devices like Google Chromecast don't allow direct control of the DNS servers used and always try to use Google's Public DNS resolvers (both IPv4 and IPv6), these of course will return AAAA records and will undo any DNS workaround when streaming Netflix from such a device. You can however leverage a fallback option built into Chromecast devices (and likely other Google devices), where by if you block access to the Google Public DNS resolvers, it forces the Chromecast device to use the DHCP supplied DNS information and hence the DNS workaround will work.
 
 An example of doing this with `iptables`:
 
@@ -229,7 +229,7 @@ ip6tables -I FORWARD --destination 2001:4860:4860::8844 -j REJECT
 ip6tables -I FORWARD --destination 2001:4860:4860::8888 -j REJECT
 ```
 
-REJECT is a bit more friendly than DROP in this case, as the "fail" response will be quicker. You want the request to fail quickly in this case. You'd use `DROP` if someone was port knocking and want to slow down their efforts of obtaining open ports.
+REJECT is a bit more friendly than DROP in this case, as the "fail" response will be quicker. You want the request to fail quickly in this case. You'd use `DROP` in a more defensive/security scenario.
 
 If you happen to use Google's DNS resolvers at the network level for general DNS queries you can limit this block to the IP address of your Chromecast device with the `-s` option, allowing you to use Google's DNS resolvers for other devices still. This would require you to use static DHCP in order to create a fixed LAN IP address for any Chromecast devices you have, so you know where they are on the network.
 
@@ -249,7 +249,7 @@ This method essentially allows DNS requests to `8.8.8.8` or `8.8.4.4`, but the r
 
 DNS traffic is typically UDP based, but there are circumstances where TCP is used as well, however, it is unlikely any Google DNS request will be using TCP, hence why the rules above only target UDP and should be fine for this purpose.
 
-Thanks @seiferma for the report and testing this scenario! Additionally, vertified and tested by myself. (25/06/2017)
+To implement this, you'll need to have a full access to your router.
 
 **Enjoy your Netflix again!**
 
@@ -261,7 +261,7 @@ In case you have any questions about the purpose/reasons for this workaround, he
 
 A. Once your ISP provides a native IPv6 subnet to you, you can disable your IPv6 tunnel and use the IPv6 subnet delegated to you by your ISP (likely a /56 or something similar).
 
-To clarify, Netflix is only blocking IPv6 tunnels because it cannot fully confirm your exact country of origin and sees any usage of a IPv6 tunnel as a way of circumventing geo-restrcitions on content that is licensed to specific countries, despite this being the intention or not. In the case of Hurricane Electric, while it operates tunnels in loads of different countries, the IPv6 address space they have ultimately identifies as US to a lot of geo based systems concerning IPv6. This problem however is now redundant as Netflix has now straight blocked the IPv6 ranges of various IPv6 tunnel services altogether.
+To clarify, Netflix is only blocking IPv6 tunnels because it cannot fully confirm your exact country of origin and sees any usage of a IPv6 tunnel as a way of circumventing geo-restrcitions on content that is licensed to specific countries, despite this being the intention or not. In the case of Hurricane Electric, while it operates tunnels in loads of different countries, the IPv6 address space they have registered ultimately identifies as US to a lot of geo based systems concerning IPv6. This problem however is now redundant as Netflix has now straight blocked the IPv6 ranges of various IPv6 tunnel services altogether.
 
 **Q. I use a VPN and I get the same error message, will this workaround work for this?**
 
@@ -273,34 +273,38 @@ A. They shouldn't do. When you use your ISPs connection, the IP address you conn
 
 **Q. How does this workaround work?**
 
-A. In short, the workaround forces Netflix to use IPv4 for any requests when streaming. While you might think "why can't I just to make things use IPv4 first?" in reality, this is both against the general behaviour of v6 first (happy eyeballs) and difficult to actually enforce. Especially if you need to do this across different devices. Hence doing it at the router/DNS level allows you to control the variables. It does require a bit of technical knowledge and control over your network however and might not be for everyone.
+A. In short, the workaround forces Netflix to use IPv4 for any requests when streaming. While you might think "why can't I just to make things use IPv4 first?" in reality, this is both against the general behaviour of IPv6 first (happy eyeballs) and difficult to actually enforce. Especially if you need to do this across different devices. Hence doing it at the router/DNS level allows you to control the variables. It does require a bit of technical knowledge and control over your network however and might not be for everyone admittedly.
 
-Side note: Netflix has supported IPv6 for many years. IPv6 itself isn't the issue and something which we should be encouraging adoption of. The problem is for more tech savvy users that don't have native IPv6 from their ISP have opted to use a tunnel service for it instead. Since June 2016, Netflix shut off streaming access to its service for IPv6 tunnels services and this has what's caused the problem. Netflix's easy solution to this is to "disable" or stop using a IPv6 tunnel. However this isn't practical for many people and negates the reason having one in the first place.
+**Fun fact:** Netflix has supported IPv6 for many years. IPv6 itself isn't the issue and something which we should be encouraging adoption of. The problem is for more tech savvy users that don't have native IPv6 from their ISP have opted to use a tunnel service for it instead. Since June 2016, Netflix shut off streaming access to its service for IPv6 tunnels services and this has what's caused the problem. Netflix's easy solution to this is to "disable" or stop using a IPv6 tunnel. However this isn't practical for many people and negates the reason having one in the first place.
 
 **Q. Will this workaround stop working in the future?**
 
 A. Depending on how you implemented it, it should be pretty robust, but if Netflix introduce a new domain not covered in the list above that has some form of IPv6 connectivity test which then determines proxy/VPN usage, it may have to be expanded, I have personally used this workaround since June 2016 and it hasn't let me down yet.
 
 **Q. Does this workaround allow me to bypass geo-restrictions?**
 
-A. No. It is simply designed to allow connectivity to Netflix, while having an IPv6 tunnel active. This does not allow you to obtain access to library content outside your region. This is basically the reason why this workaround has to be implemented in the first place for us legit IPv6 tunnel users. This is why we can't have nice things!
+A. No. It is simply designed to allow connectivity to Netflix, while having an IPv6 tunnel active. This does not allow you to obtain access to library content outside your region. This is basically the reason why this workaround had to be implemented in the first place for us legit IPv6 tunnel users. This is why we can't have nice things!
 
 **Q. Will Netflix unblock IPv6 tunnels in the future?**
 
-A. Probably not, they were likely pressured into it in the first place by media companies and license holders. Netflix probably don't care that much either, as long as your paying your monthly subscription. Big media didn't like it though! Hence the ban hammer. Its also worth noting that IPv6 tunnel services are transitional mechanisms and shouldn't be a permanent solution for IPv6. Hassle your ISP to sort out their IPv6 (or lack of!). While you wait you can also read the hilarious IPv6 excuses Twitter account for some nerdy IPv6 banter: https://twitter.com/ipv6excuses?lang=en
+A. Probably not, they were likely pressured into it in the first place by media companies and license holders. Once the secret was out about how IPv6 tunnels were providing access to what should have been geo-restricted content, action was swiftly taken. To be honest, Netflix probably doesn't care that much about this (as long as your paying your monthly subscription!). It was more likely being lent on by higher powers, hence the rather bold straight blocking approach. 
+
+Its also worth noting that IPv6 tunnel services are intended as transitional mechanisms and shouldn't be a permanent solution for IPv6. Hassle your ISP to sort out their IPv6 (or lack of!). While you wait you can also read the hilarious IPv6 excuses Twitter account for some nerdy IPv6 banter: https://twitter.com/ipv6excuses?lang=en.
+
+Also as a customer of Virgin Media in the United Kingdom. WHY NO IPV6?!
 
 **Q. Do any proxy/VPN services still work with Netflix?**
 
-A. There are likely some services that might still work, but they are likely operating on borrowed time, as Netflix will be monitoring and updating their blocklists regularly. Most of the well known proxy/VPN services will be blocked for sure.
+A. There are likely some services that might still work, but they are likely operating on borrowed time, as Netflix will be monitoring and updating their blocklists regularly. Most of the well known proxy/VPN services are blocked.
 
-**Q. I'm not able to run bind9, are there any alternatives?**
+**Q. I'm not able to install additional software like `bind`, are there any alternatives?**
 
 A. Yes. There is a excellent lightweight DNS proxy specifically for Netflix IPv6 tunnel purposes. Written in Python, it should work on most Unix/Linux systems with little setup required.
 
 https://github.com/cdhowie/netflix-no-ipv6-dns-proxy
 
-The same concept applies, you need to have your primary DNS server/resolver forward requests to this proxy, be aware this DNS proxy is specifically for Netflix domain usage and won't strip the AAAA records of other domains if sent to it. You can edit the source code to expand it if you wanted to though.
+The same concept applies, you need to have your primary DNS resolver forward requests to this proxy, be aware this DNS proxy is specifically for Netflix domain usage and won't strip the AAAA records of other domains if sent to it. You can edit the source code to expand it if you wanted to though.
 
 **Q. Who is "big media"?**
 
-A. My pet name for the media rights corporations who are stuck in the past and don't know jack shit about technology. Much like the government of the United Kingdom (example: Investigatory Powers Act 2016). True story.
+A. My pet name for the media rights corporations who are ~~probably in the illuminati~~ stuck in the past and clearly don't understand technology.
diff --git a/Workarounds for Netflix and the blocking of IPv6 tunnels.md b/Workarounds for Netflix and the blocking of IPv6 tunnels.md
@@ -1,4 +1,4 @@
-# Workarounds for Netflix and the blocking of IPv6 tunnels.
+# Workarounds for Netflix and the blocking of IPv6 tunnels
 ###### The dreaded "You seem to be using an unblocker or proxy." error message. Cool story bro.
 
 *This gist was essentially created out of my own [rant about Netflix being hostile to IPv6 tunnel services since June 2016](https://blog.jmwhite.co.uk/2016/06/12/netflix-starts-blocking-ipv6-tunnels/). You are welcome to read my opinion on the matter, this is the more technical side to the issue and how to combat it within your own network.*

diff --git a/...lix AAAA DNS workaround (IPv6 tunnels).md → ...tflix and the blocking of IPv6 tunnels.md b/...lix AAAA DNS workaround (IPv6 tunnels).md → ...tflix and the blocking of IPv6 tunnels.md
@@ -1,30 +1,29 @@
-# Netflix AAAA DNS Workaround (IPv6 Tunnels)
+# Workarounds for Netflix and the blocking of IPv6 tunnels.
+###### The dreaded "You seem to be using an unblocker or proxy." error message. Cool story bro.
 
 *This gist was essentially created out of my own [rant about Netflix being hostile to IPv6 tunnel services since June 2016](https://blog.jmwhite.co.uk/2016/06/12/netflix-starts-blocking-ipv6-tunnels/). You are welcome to read my opinion on the matter, this is the more technical side to the issue and how to combat it within your own network.*
 
-Since I wrote this, various GitHub users have contributed their thoughts and ideas which has been incorporated into this gist.
+Since I wrote this, various GitHub users have contributed their thoughts and ideas which has been incorporated into this gist. Thank you to everyone who have contributed their own methods and implementations.
 
 ## The problem
 
-Netflix now treats IPv6 tunnel brokers (such as Hurricane Electric) as proxy servers. It became apparent to users and Netflix that somewhat by accident, IPv6 tunnel users were being served content outside of their geolocation because of the way Netflix was identifying the tunnel services and their geographical origin. The problem was further compounded by certain opportunstic indiviuals deciding to create a business model out of providing the Netflix US (and others) content library via networks like Hurricane Electric and ruined it for everyone. Netflix and friends got all stressy about it and now all IPv6 tunnel users are considered naughty proxy pirates. Also because big media is stuck in the 1990s, they think this block is actually effective, when in fact it just inconveniences most legitimate users, that simply want IPv6 connectivity, beacause their ISP is stuck in 1995.
+Netflix now treats IPv6 tunnel brokers (such as Hurricane Electric) as proxy servers. A while ago it became apparent to users and Netflix that somewhat by accident, IPv6 tunnel users were being served content outside of their geolocation because of the way Netflix was identifying the tunnel services and their geographical origin. The problem was further compounded by certain opportunstic indiviuals deciding to create a business model out of providing the Netflix US (and others) content library via networks like Hurricane Electric and ruined it for everyone. Netflix and friends got all stressy about it and now all IPv6 tunnel users are considered to be naughty proxy pirates. Also because big media is stuck in the 1990s, they think this block is actually effective, when in fact it just inconveniences most legitimate users, that simply want IPv6 connectivity, beacause their ISP is stuck in 1995.
 
-https://help.netflix.com/en/node/277
+Netflix has a help article on the matter: https://help.netflix.com/en/node/277
 
-In order to maintain keeping your IPv6 tunnel active while browsing Netflix, you must force Netflix to always use IPv4 (which is likely to be using your normal ISP WAN gateway as normal). Despite Netflix support stating you should simply "disable" your IPv6 tunnel, this is impossible when you have a IPv6 tunnel deployed across a LAN at the router level and have servers and services running over v6 using the address space.
+In the early days it didn't mention anything about IPv6, but now pretty much spells out if you use a tunnel service for IPv6 you are SOL and won't get any support from Netflix about it, but there is a potential workaround. In order to maintain keeping your IPv6 tunnel active while browsing Netflix you need to basically prevent any traffic to Netflix going over v6 and fallback to v4, which will likely be using your normal WAN connection from a ISP or provider which Netflix won't treat as a proxy/VPN.
 
-To implement such a workaround you'll need to have a DNS setup that can allow you to either prevent AAAA records being returned on various domain requests or conditionally forward specific Netflix domain lookups to a special DNS resolver that can strip AAAA (IPv6 addresses) records from the DNS request, essentially forcing IPv4 connections.
+To implement such a workaround you'll need to have a DNS setup that you can control. You'll need to have the ability to implement one of the following workarounds:
 
-This guide focuses on dnsmasq, but the concept can be applied to other DNS setups like unbound, bind etc.
+1. Return a null response on AAAA lookups for certain domains
+2. Conditionally forward certain domain lookups to another DNS resolver that strips AAAA records from lookup responses entirely.
+3. Block or sink hole Netflix IPv6 ranges (not recommended, explained in more detail later on)
 
-**The common approaches of allowing Netflix to work with an IPv6 tunnel are:**
-
-1. Return null on AAAA lookups for certain domains
-2. Conditionally forward certain domains to another DNS resolver that strips AAAA records from lookup responses.
-3. Block Netflix IPv6 ranges (not recommended, explained in more detail later on)
+This gist focuses on using `dnsmasq` (commonly found in embedded products i.e. routers) but the theory can be applied to other services like unbound, bind etc.
 
 ## Netflix domains that need be specially handled
 
-These are the key Netflix domains that need to be handled in a specific way. Mainly to have any AAAA record stripped or nulled before it is resolved and passed to the client.
+These are the key Netflix domains that need to be handled to prevent IPv6 being used.
 
 * netflix.com
 * netflix.net
@@ -37,7 +36,7 @@ Some of these domains may not have AAAA records currently, but its possible this
 
 ### Method #1: Return null on AAAA lookups with dnsmasq
 
-The configuration below basically returns an AAAA response with a NULL address on any domains provided. The only downside to this method is you have to generate a matching `server` and `address` line for each domain, otherwise you will unwillingly remove A record responses, which will break things. Your dnsmasq.conf could get quite long very quickly. If you have a bulk load of domains you could write a script to output the server and address lines with the domain being a variable in a loop, fed by a file or another source.
+The configuration below basically returns an AAAA response with a NULL address on any domains provided. The only downside to this method is you have to generate a matching `server` and `address` line for each domain, otherwise you will unwillingly remove A record responses. Your dnsmasq.conf could get quite long very quickly using this method. If you have a bulk load of domains you could write a script to output the server and address lines to a file with the domain being a variable in a loop, fed by a list or another source.
 
 ```
 # Null AAAA response on these domains
@@ -55,7 +54,7 @@ server=/nflxso.net/#
 address=/nflxso.net/::
 ```
 
-If you are already running dnsmasq, this is the most simpliest method, without having to worry about additional configurations or services. After this configuration is applied a DNS lookup for a domain in this list would now return `::`, which is the NULL response.
+If you are already running dnsmasq, this is the most simpliest method, without having to worry about additional configurations or services. After this configuration is applied a DNS lookup for a domain in this list would now return `::`, which is the NULL response. This would prevent `netflix.com` requests going over v6 and fallback to v4.
 
 ```
 ; <<>> DiG 9.10.3-P4-Raspbian <<>> AAAA netflix.com @127.0.0.1
@@ -77,12 +76,14 @@ netflix.com.            2       IN      AAAA    ::
 
 ```
 
-### Method #2: Conditionally forward domains to a special resolver
+### Method #2: Conditionally forward domains to a resolver that strips AAAA records
+
+A slightly more involved method is to conditionally forward DNS requests for certain Netflix domains to another DNS resolver that will strip AAAA records from domains. In this scenario, there will be another DNS resolver running somewhere in the network.
 
-Conditionally forwarding DNS requests for these domains to another DNS resolver. In this example, there is another DNS resolver running on localhost (likely a router or an existing DNS server) on the non standard port udp 2053. The port number can be anything you'd like, providing no firewall is blocking it. The reason why a non standard port number is used, is to avoid a port collision. For example, you may be running DNS services on the same box.
+Using `dnsmasq` as an example, you can define conditional forward rules like so:
 
 ```
-# Remove AAAA responses from Netflix DNS requests
+# Resolve these domains with another resolver
 server=/netflix.com/127.0.0.1#2053
 server=/netflix.net/127.0.0.1#2053
 server=/nflxext.com/127.0.0.1#2053
@@ -91,14 +92,12 @@ server=/nflxvideo.net/127.0.0.1#2053
 server=/nflxso.net/127.0.0.1#2053
 ```
 
-You can host the additional DNS server anywhere you like, you can also run multiple servers if you like redundancy. If you have a router with custom firmware like OpenWRT or DD-WRT, you could run it there.
+`127.0.0.1#2053` is the DNS resolver that will resolve the request. The DNS resolver could be anything or running anywhere. In this example, a DNS resolver is running on UDP 2053, in reality this can be anything. I will use `bind` for the resolver.
 
 #### Creating a BIND DNS resolver that removes AAAA records from lookups
 
 I chose bind as it has a specific parameter `filter-aaaa-on-v4`. The example below is a very minimal configuration for bind. Its one purpose is basically to strip AAAA records from DNS lookups. It has the advantage of being domain agnostic, meaning it will strip any AAAA records from any domain passed to it. This is useful if other services other than Netflix start blocking IPv6 tunnels in a similar fashion.
 
-You can use any forwarders you like, the example below uses OpenDNS. If you are running this on an external IP address, you should be careful and make sure you only allow recursion on specific requests and ACL accordingly. Not doing so will make you an open DNS resolver, it won't take long for someone to start abusing your server and generating a high rate of traffic.
-
 ```
 options {
 	directory "/tmp";
@@ -119,17 +118,21 @@ options {
 };
 ```
 
+You can use any forwarders you like, the example below uses OpenDNS. If you are running this on an external IP address, you should be careful and make sure you only allow recursion on specific requests and ACL accordingly. Not doing so will make you an open DNS resolver, it won't take long for someone to start abusing your server and generating a high rate of traffic.
+
 The `--enable-filter-aaaa` option must be enabled at compile time in order for this config to work, see this page for more information:
 
 https://kb.isc.org/article/AA-00576/0/Filter-AAAA-option-in-BIND-9-.html
 
+Where this resolver runs is entirely up to you. If you are running something like OpenWRT or DD-WRT you could run bind on a non-standard port like the example to avoid a port collision with an existing DNS setup i.e. `dnsmasq`.
+
 #### Confirming AAAA records are removed from DNS lookups
 
-Once everything is setup, you can query any of the following Netflix domains listed above against a public DNS resolver and compare the output to a query made to the special DNS resolver you've setup.
+Once everything is setup, you can query any of the following Netflix domains listed above against a public DNS resolver and compare the output to a query made to the additional DNS resolver you've setup.
 
-##### An AAAA DNS request made via Google Public DNS
+**AAAA DNS request made via Google Public DNS**
 
-Google's public DNS servers will always return AAAA records, this is what a request to `netflix.com` will mostly look like:
+Google's public DNS servers will always return AAAA records, this is what a typical request to `netflix.com` will look like:
 
 ```
 dig @8.8.8.8 netflix.com AAAA
@@ -162,9 +165,9 @@ netflix.com.            59      IN      AAAA    2620:108:700f::36d6:1699
 ;; MSG SIZE  rcvd: 264
 ```
 
-#### An AAAA DNS request made via the BIND DNS server we setup
+**AAAA DNS request made via the BIND DNS server we setup**
 
-Making the same request to our primary DNS resolver that has been configured to treat Netflix domains differently, we should get no AAAA records returned, even if we explicitly request them.
+Making the same request to our primary DNS resolver that has been configured to strip AAAA records, we should get no AAAA records returned, even if we explicitly request them.
 
 ```
 dig @127.0.0.1 netflix.com AAAA
@@ -187,7 +190,7 @@ dig @127.0.0.1 netflix.com AAAA
 ;; MSG SIZE  rcvd: 40
 ```
 
-If you get no AAAA records returned on your DNS resolver with Netflix queries, your in business. Future Netflix connections should now only use IPv4. If you don't get the expected output this can be due to DNS caching and depending on your setup you might have to wait a bit of time for the correct DNS lookup information to be returned. Alternatively, you may wish to reboot your router or device supplying DNS to ensure DNS caches are cleared. If you have a DNS chain, you'll need to ensure all DNS resolvers in the chain are not cached.
+If you get no AAAA records returned on your DNS resolver with Netflix queries, your in business. Future Netflix connections should now only use IPv4. If you don't get the expected output this can be due to DNS caching and depending on your setup you might have to wait a bit of time for the correct DNS lookup information to be returned. Alternatively, you may wish to reboot your router or device supplying DNS to ensure DNS caches are cleared. If you have a DNS chain, you'll need to ensure all DNS resolvers in the chain are not caching.
 
 If you get issues like timeouts, check to make sure the DNS server is actually running and your firewall is permitting the DNS traffic, especially if using a non-standard port for DNS traffic.
 
@@ -230,7 +233,7 @@ REJECT is a bit more friendly than DROP in this case, as the "fail" response wil
 
 If you happen to use Google's DNS resolvers at the network level for general DNS queries you can limit this block to the IP address of your Chromecast device with the `-s` option, allowing you to use Google's DNS resolvers for other devices still. This would require you to use static DHCP in order to create a fixed LAN IP address for any Chromecast devices you have, so you know where they are on the network.
 
-##### Intercepting Google DNS traffic, rather than blocking
+#### Intercepting Google DNS traffic, rather than blocking
 
 There are several reports that some Google based devices like Android tablets don't seem to like having the Google public DNS resolvers sinkholed. If you experience problems streaming with devices like Chromecasts, Google tablets etc. after blocking Google DNS requests, you might want to instead intercept the requests rather than block them. This can also be achieved via `iptables`:
 
@@ -260,36 +263,36 @@ A. Once your ISP provides a native IPv6 subnet to you, you can disable your IPv6
 
 To clarify, Netflix is only blocking IPv6 tunnels because it cannot fully confirm your exact country of origin and sees any usage of a IPv6 tunnel as a way of circumventing geo-restrcitions on content that is licensed to specific countries, despite this being the intention or not. In the case of Hurricane Electric, while it operates tunnels in loads of different countries, the IPv6 address space they have ultimately identifies as US to a lot of geo based systems concerning IPv6. This problem however is now redundant as Netflix has now straight blocked the IPv6 ranges of various IPv6 tunnel services altogether.
 
-**Q. Will Netflix block my actual ISP?**
+**Q. I use a VPN and I get the same error message, will this workaround work for this?**
 
-A. No. When you use your ISPs connection, the IP address you connect from will not be considering a proxy/VPN as Netflix won't block the IPv4/IPv6 space of a registered residental/business ISP. The exception to this is known VPN/proxy services, these are being added to Netflix's blocklists and it gets updated regularly.
+A. Using a VPN with Netflix is very tricky because Netflix actively blocks such services. You'll likely want to look at something called split tunnelling where by you have a VPN connection active, but send Netflix traffic through your WAN (non VPN gateway). This however is out of scope of what is achieved with the information in this gist.
+
+**Q. Will Netflix block my actual normal ISP connection?**
+
+A. They shouldn't do. When you use your ISPs connection, the IP address you connect from shouldn't be considered a proxy/VPN.
 
 **Q. How does this workaround work?**
 
-A. Essentially when a request is sent to Netflix, a IPv6 connectivity test is done to confirm if you can use their IPv6 network. Remeber, the default protocol behaviour is to try IPv6 first (happy eyeballs). We are essentially fooling Netflix into making all requests use their IPv4 network, because we have either stripped or nulled AAAA records from such requests or blocked IPv6 traffic to Netflix entirely, making it look like we only have IPv4 connectivity. Sneaky, yet effective. Netflix traffic goes over IPv4, while you get to keep your IPv6 connectivity for everything else and be part of the slowly rising IPv6 traffic level of the world. Bonus!
+A. In short, the workaround forces Netflix to use IPv4 for any requests when streaming. While you might think "why can't I just to make things use IPv4 first?" in reality, this is both against the general behaviour of v6 first (happy eyeballs) and difficult to actually enforce. Especially if you need to do this across different devices. Hence doing it at the router/DNS level allows you to control the variables. It does require a bit of technical knowledge and control over your network however and might not be for everyone.
+
+Side note: Netflix has supported IPv6 for many years. IPv6 itself isn't the issue and something which we should be encouraging adoption of. The problem is for more tech savvy users that don't have native IPv6 from their ISP have opted to use a tunnel service for it instead. Since June 2016, Netflix shut off streaming access to its service for IPv6 tunnels services and this has what's caused the problem. Netflix's easy solution to this is to "disable" or stop using a IPv6 tunnel. However this isn't practical for many people and negates the reason having one in the first place.
 
 **Q. Will this workaround stop working in the future?**
 
-A. It should be pretty robust, but if Netflix introduce a new domain not covered in the list above that has some form of IPv6 connectivity, which then determines proxy/VPN usage, it may have to be expanded, I have personally used this workaround since June 2016 and it hasn't let me down yet. To be fair this block has been implemented for sometime now, which should satisfy big media, if Netflix further tinker with it, it's just going to become a game of cat and mouse.
+A. Depending on how you implemented it, it should be pretty robust, but if Netflix introduce a new domain not covered in the list above that has some form of IPv6 connectivity test which then determines proxy/VPN usage, it may have to be expanded, I have personally used this workaround since June 2016 and it hasn't let me down yet.
 
 **Q. Does this workaround allow me to bypass geo-restrictions?**
 
 A. No. It is simply designed to allow connectivity to Netflix, while having an IPv6 tunnel active. This does not allow you to obtain access to library content outside your region. This is basically the reason why this workaround has to be implemented in the first place for us legit IPv6 tunnel users. This is why we can't have nice things!
 
 **Q. Will Netflix unblock IPv6 tunnels in the future?**
 
-A. Probably not, they were likely pressured into it in the first place by media companies and license holders. Netflix probably don't care that much either, as long as your paying your monthly subscription. Big media didn't like it though! Hence the ban hammer. Its also worth noting that IPv6 tunnel services are transitional mechanisms and shouldn't be a permanent solution for IPv6. Hassle your ISP to sort out their IPv6 (or lack of!).
+A. Probably not, they were likely pressured into it in the first place by media companies and license holders. Netflix probably don't care that much either, as long as your paying your monthly subscription. Big media didn't like it though! Hence the ban hammer. Its also worth noting that IPv6 tunnel services are transitional mechanisms and shouldn't be a permanent solution for IPv6. Hassle your ISP to sort out their IPv6 (or lack of!). While you wait you can also read the hilarious IPv6 excuses Twitter account for some nerdy IPv6 banter: https://twitter.com/ipv6excuses?lang=en
 
 **Q. Do any proxy/VPN services still work with Netflix?**
 
 A. There are likely some services that might still work, but they are likely operating on borrowed time, as Netflix will be monitoring and updating their blocklists regularly. Most of the well known proxy/VPN services will be blocked for sure.
 
-**Q. Can I forward other non-Netflix domains using the conditional resolver method?**
-
-A. Yes. The way the bind9 config is setup is basically to strip any AAAA records from domains passed to it. It is not limited to Netflix domains. You just need to let your primary DNS server/resolver (in this example, Dnsmasq) know to forward it to somewhere else.
-
-For a real non-Netflix example, mega.co.nz or mega.nz will not work over v6 via Hurricane Electric because MEGA uses Cogent to carry their IPv6 traffic, which lacks any route to the Hurricane Electric network. See this thread on the HE forums: https://forums.he.net/index.php?topic=3530.0 about the whole HE vs Cogent saga. Using this workaround for MEGA domains will allow you to access the service, because IPv4 will essentially be forced.
-
 **Q. I'm not able to run bind9, are there any alternatives?**
 
 A. Yes. There is a excellent lightweight DNS proxy specifically for Netflix IPv6 tunnel purposes. Written in Python, it should work on most Unix/Linux systems with little setup required.

diff --git a/Netflix AAAA DNS workaround (IPv6 tunnels).md b/Netflix AAAA DNS workaround (IPv6 tunnels).md
@@ -187,22 +187,22 @@ dig @127.0.0.1 netflix.com AAAA
 ;; MSG SIZE  rcvd: 40
 ```
 
-If you get no AAAA records returned on your DNS resolver with Netflix queries, your in business. Future Netflix connections should now only use IPv4. You may want to reboot your router or device supplying DNS in order to clear existing/cached lookups. If you performed a DNS lookup for a Netflix domain with AAAA records recently prior to implementing this workaround, it may still be cached and can take a bit of time for changes to be reflected on client machines on the network.
+If you get no AAAA records returned on your DNS resolver with Netflix queries, your in business. Future Netflix connections should now only use IPv4. If you don't get the expected output this can be due to DNS caching and depending on your setup you might have to wait a bit of time for the correct DNS lookup information to be returned. Alternatively, you may wish to reboot your router or device supplying DNS to ensure DNS caches are cleared. If you have a DNS chain, you'll need to ensure all DNS resolvers in the chain are not cached.
 
 If you get issues like timeouts, check to make sure the DNS server is actually running and your firewall is permitting the DNS traffic, especially if using a non-standard port for DNS traffic.
 
 ### Method 3: Blocking Netflix IPv6 ranges (not recommended)
 
-While this method can work, the problem with it is that it is static and not as future proof as DNS related options. The problem is Netflix uses various content delivery networks and obtaining the ranges for them all is difficult. Netflix can also add new IPv6 ranges at anytime. While all of the workaround options can be "broken" by Netflix changing something, in my opinion domain based rules are cleaner than IPv6 ranges.
+While this method can work, the problem with it is that it is static and not as future proof as DNS related options. The problem is Netflix uses various content delivery networks and obtaining the ranges for them all is difficult. Netflix can also add new IPv6 ranges at anytime. While all of the workaround options can be "broken" by Netflix changing something, in my opinion domain based rules are cleaner than IPv6 ranges. Be mindful that blocking IPv6 ranges may required you to block non-Netflix networks like content delivery networks, which could have side effects for non-related services.
 
-If however you wish to null route or block IPv6 ranges, this can be achieved like so:
+If however you wish to null route or block IPv6 ranges, this can be achieved like so with `ip6tables`:
 
 ```
 ip6tables -I OUTPUT -d 2a01:578:3::/64 -j REJECT
 ip6tables -I FORWARD -d 2a01:578:3::/64 -j REJECT
 ```
 
-You may have to experiment with additional ranges to get the desired effect.
+You may have to experiment with additional ranges in order to stop Netflix using IPv6 for your geolocation.
 
 ## Additional configuration
 

diff --git a/Netflix AAAA DNS workaround (IPv6 tunnels).md b/Netflix AAAA DNS workaround (IPv6 tunnels).md
@@ -37,7 +37,7 @@ Some of these domains may not have AAAA records currently, but its possible this
 
 ### Method #1: Return null on AAAA lookups with dnsmasq
 
-The configuration below basically returns an AAAA response with a NULL address on any domains provided. The only downside to this method is you have to generate a matching server and address line for each domain, otherwise you will also remove A record responses, which will break. Your dnsmasq.conf could get quite long very quickly. If you have a bulk load of domains you could write a script to output the server and address lines with the domain being a variable in a loop, fed by a file or another source.
+The configuration below basically returns an AAAA response with a NULL address on any domains provided. The only downside to this method is you have to generate a matching `server` and `address` line for each domain, otherwise you will unwillingly remove A record responses, which will break things. Your dnsmasq.conf could get quite long very quickly. If you have a bulk load of domains you could write a script to output the server and address lines with the domain being a variable in a loop, fed by a file or another source.
 
 ```
 # Null AAAA response on these domains

diff --git a/Netflix AAAA DNS workaround (IPv6 tunnels).md b/Netflix AAAA DNS workaround (IPv6 tunnels).md
@@ -2,18 +2,26 @@
 
 *This gist was essentially created out of my own [rant about Netflix being hostile to IPv6 tunnel services since June 2016](https://blog.jmwhite.co.uk/2016/06/12/netflix-starts-blocking-ipv6-tunnels/). You are welcome to read my opinion on the matter, this is the more technical side to the issue and how to combat it within your own network.*
 
+Since I wrote this, various GitHub users have contributed their thoughts and ideas which has been incorporated into this gist.
+
 ## The problem
 
 Netflix now treats IPv6 tunnel brokers (such as Hurricane Electric) as proxy servers. It became apparent to users and Netflix that somewhat by accident, IPv6 tunnel users were being served content outside of their geolocation because of the way Netflix was identifying the tunnel services and their geographical origin. The problem was further compounded by certain opportunstic indiviuals deciding to create a business model out of providing the Netflix US (and others) content library via networks like Hurricane Electric and ruined it for everyone. Netflix and friends got all stressy about it and now all IPv6 tunnel users are considered naughty proxy pirates. Also because big media is stuck in the 1990s, they think this block is actually effective, when in fact it just inconveniences most legitimate users, that simply want IPv6 connectivity, beacause their ISP is stuck in 1995.
 
 https://help.netflix.com/en/node/277
 
-In order to maintain keeping your IPv6 tunnel active while browsing Netflix, you must force Netflix to always use IPv4 (which is likely to be using your ISP WAN gateway as normal). Despite Netflix support stating you should simply "disable" your IPv6 tunnel, this is impossible when you have a IPv6 tunnel deployed across a LAN at the router level and have servers and services running over v6 using the address space.
+In order to maintain keeping your IPv6 tunnel active while browsing Netflix, you must force Netflix to always use IPv4 (which is likely to be using your normal ISP WAN gateway as normal). Despite Netflix support stating you should simply "disable" your IPv6 tunnel, this is impossible when you have a IPv6 tunnel deployed across a LAN at the router level and have servers and services running over v6 using the address space.
 
 To implement such a workaround you'll need to have a DNS setup that can allow you to either prevent AAAA records being returned on various domain requests or conditionally forward specific Netflix domain lookups to a special DNS resolver that can strip AAAA (IPv6 addresses) records from the DNS request, essentially forcing IPv4 connections.
 
 This guide focuses on dnsmasq, but the concept can be applied to other DNS setups like unbound, bind etc.
 
+**The common approaches of allowing Netflix to work with an IPv6 tunnel are:**
+
+1. Return null on AAAA lookups for certain domains
+2. Conditionally forward certain domains to another DNS resolver that strips AAAA records from lookup responses.
+3. Block Netflix IPv6 ranges (not recommended, explained in more detail later on)
+
 ## Netflix domains that need be specially handled
 
 These are the key Netflix domains that need to be handled in a specific way. Mainly to have any AAAA record stripped or nulled before it is resolved and passed to the client.
@@ -27,11 +35,6 @@ These are the key Netflix domains that need to be handled in a specific way. Mai
 
 Some of these domains may not have AAAA records currently, but its possible this might change in the future, so they are covered off to be future proofed.
 
-The two most common approaches of fixing the issue are:
-
-1. Directly prevent AAAA lookups on specific domains with specific configuration
-2. Conditionally forward certain domains to another DNS resolver that strips AAAA records from lookups.
-
 ### Method #1: Return null on AAAA lookups with dnsmasq
 
 The configuration below basically returns an AAAA response with a NULL address on any domains provided. The only downside to this method is you have to generate a matching server and address line for each domain, otherwise you will also remove A record responses, which will break. Your dnsmasq.conf could get quite long very quickly. If you have a bulk load of domains you could write a script to output the server and address lines with the domain being a variable in a loop, fed by a file or another source.
@@ -90,7 +93,7 @@ server=/nflxso.net/127.0.0.1#2053
 
 You can host the additional DNS server anywhere you like, you can also run multiple servers if you like redundancy. If you have a router with custom firmware like OpenWRT or DD-WRT, you could run it there.
 
-## Creating a BIND DNS resolver that removes AAAA records from lookups
+#### Creating a BIND DNS resolver that removes AAAA records from lookups
 
 I chose bind as it has a specific parameter `filter-aaaa-on-v4`. The example below is a very minimal configuration for bind. Its one purpose is basically to strip AAAA records from DNS lookups. It has the advantage of being domain agnostic, meaning it will strip any AAAA records from any domain passed to it. This is useful if other services other than Netflix start blocking IPv6 tunnels in a similar fashion.
 
@@ -188,6 +191,23 @@ If you get no AAAA records returned on your DNS resolver with Netflix queries, y
 
 If you get issues like timeouts, check to make sure the DNS server is actually running and your firewall is permitting the DNS traffic, especially if using a non-standard port for DNS traffic.
 
+### Method 3: Blocking Netflix IPv6 ranges (not recommended)
+
+While this method can work, the problem with it is that it is static and not as future proof as DNS related options. The problem is Netflix uses various content delivery networks and obtaining the ranges for them all is difficult. Netflix can also add new IPv6 ranges at anytime. While all of the workaround options can be "broken" by Netflix changing something, in my opinion domain based rules are cleaner than IPv6 ranges.
+
+If however you wish to null route or block IPv6 ranges, this can be achieved like so:
+
+```
+ip6tables -I OUTPUT -d 2a01:578:3::/64 -j REJECT
+ip6tables -I FORWARD -d 2a01:578:3::/64 -j REJECT
+```
+
+You may have to experiment with additional ranges to get the desired effect.
+
+## Additional configuration
+
+You may have to implement further changes if you experience problems with Google/Android devices.
+
 ### Streaming issues with Google Chromecast/Android devices
 
 Devices like Google Chromecast don't allow direct control of the DNS servers used and always try to use Google's Public DNS resolvers of `8.8.8.8` and `8.8.4.4`, these of course will return AAAA records and cause issues when streaming Netflix (even if you have implemented this workaround on the network the stream activity is running on). You can however leverage a fallback option built into Chromecast devices (and possibly other Google devices), where by if you block access to the Google Public DNS resolvers, it forces the Chromecast device to use the DHCP supplied DNS information and hence the DNS workaround will work.
@@ -238,15 +258,15 @@ In case you have any questions about the purpose/reasons for this workaround, he
 
 A. Once your ISP provides a native IPv6 subnet to you, you can disable your IPv6 tunnel and use the IPv6 subnet delegated to you by your ISP (likely a /56 or something similar).
 
-To clarify, Netflix is only blocking IPv6 tunnels because it cannot fully confirm your exact country of origin and sees any usage of a IPv6 tunnel as a way of circumventing geo-restrcitions on content that is licensed to specific countries, despite this being the intention or not. In the case of Hurricane Electric, while it operates tunnels in loads of different countries, the IPv6 address space they have ultimately identifies as US to a lot of geo based systems concerning IPv6. This problem however is now redundant as Netflix has now straight blocked the IPv6 ranges of various IPv6 tunnel services.
+To clarify, Netflix is only blocking IPv6 tunnels because it cannot fully confirm your exact country of origin and sees any usage of a IPv6 tunnel as a way of circumventing geo-restrcitions on content that is licensed to specific countries, despite this being the intention or not. In the case of Hurricane Electric, while it operates tunnels in loads of different countries, the IPv6 address space they have ultimately identifies as US to a lot of geo based systems concerning IPv6. This problem however is now redundant as Netflix has now straight blocked the IPv6 ranges of various IPv6 tunnel services altogether.
 
 **Q. Will Netflix block my actual ISP?**
 
-A. No. When you use your ISPs connection, the IP address you connect from will essentially be on whitelist as Netflix won't block the IPv4/IPv6 space of a registered residental/business ISP as its server locations will be fixed and registered. The exception to this is known VPN/proxy services, these are being added to Netflix's blocklists and it gets updated regularly.
+A. No. When you use your ISPs connection, the IP address you connect from will not be considering a proxy/VPN as Netflix won't block the IPv4/IPv6 space of a registered residental/business ISP. The exception to this is known VPN/proxy services, these are being added to Netflix's blocklists and it gets updated regularly.
 
 **Q. How does this workaround work?**
 
-A. Essentially when a request is sent to Netflix, a IPv6 connectivity test is done to confirm if you can use their IPv6 network. Remeber, the default protocol behaviour is to try IPv6 first (happy eyeballs). We are essentially fooling Netflix into making all requests use their IPv4 network, because we stripped any AAAA records from such requests, making it look like we only have IPv4 connectivity. Sneaky, yet effective. Netflix traffic goes over IPv4, while you get to keep your IPv6 connectivity for everything else and be part of the slowly rising IPv6 traffic level of the world. Bonus!
+A. Essentially when a request is sent to Netflix, a IPv6 connectivity test is done to confirm if you can use their IPv6 network. Remeber, the default protocol behaviour is to try IPv6 first (happy eyeballs). We are essentially fooling Netflix into making all requests use their IPv4 network, because we have either stripped or nulled AAAA records from such requests or blocked IPv6 traffic to Netflix entirely, making it look like we only have IPv4 connectivity. Sneaky, yet effective. Netflix traffic goes over IPv4, while you get to keep your IPv6 connectivity for everything else and be part of the slowly rising IPv6 traffic level of the world. Bonus!
 
 **Q. Will this workaround stop working in the future?**
 
@@ -264,9 +284,9 @@ A. Probably not, they were likely pressured into it in the first place by media
 
 A. There are likely some services that might still work, but they are likely operating on borrowed time, as Netflix will be monitoring and updating their blocklists regularly. Most of the well known proxy/VPN services will be blocked for sure.
 
-**Q. Can I forward other non-Netflix domains using this method?**
+**Q. Can I forward other non-Netflix domains using the conditional resolver method?**
 
-A. Yes. The way the bind9 config is setup is basically to strip any AAAA records from domains passed to it. It is not limited to Netflix domains. You just need to let your primary DNS server/resolver (in this example, Dnsmasq) know to forward it to somewhere else. This is the main reason why I'd recommend going the slightly more technical route for more benefits with bind9. Its an even better solution if you already run a bind9 DNS server and simply can create conditional forwarders directly on your primary bind9 servers, but that's not an essential requirement, as explained above.
+A. Yes. The way the bind9 config is setup is basically to strip any AAAA records from domains passed to it. It is not limited to Netflix domains. You just need to let your primary DNS server/resolver (in this example, Dnsmasq) know to forward it to somewhere else.
 
 For a real non-Netflix example, mega.co.nz or mega.nz will not work over v6 via Hurricane Electric because MEGA uses Cogent to carry their IPv6 traffic, which lacks any route to the Hurricane Electric network. See this thread on the HE forums: https://forums.he.net/index.php?topic=3530.0 about the whole HE vs Cogent saga. Using this workaround for MEGA domains will allow you to access the service, because IPv4 will essentially be forced.
 

diff --git a/Netflix AAAA DNS workaround (IPv6 tunnels).md b/Netflix AAAA DNS workaround (IPv6 tunnels).md
@@ -52,7 +52,27 @@ server=/nflxso.net/#
 address=/nflxso.net/::
 ```
 
-If you are already running dnsmasq, this is the most simpliest method, without having to worry about additional configurations or services.
+If you are already running dnsmasq, this is the most simpliest method, without having to worry about additional configurations or services. After this configuration is applied a DNS lookup for a domain in this list would now return `::`, which is the NULL response.
+
+```
+; <<>> DiG 9.10.3-P4-Raspbian <<>> AAAA netflix.com @127.0.0.1
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6272
+;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
+
+;; QUESTION SECTION:
+;netflix.com.                   IN      AAAA
+
+;; ANSWER SECTION:
+netflix.com.            2       IN      AAAA    ::
+
+;; Query time: 3 msec
+;; SERVER: 127.0.0.1#53(127.0.0.1)
+;; WHEN: Fri Dec 28 11:23:40 GMT 2018
+;; MSG SIZE  rcvd: 57
+
+```
 
 ### Method #2: Conditionally forward domains to a special resolver
 

diff --git a/Netflix AAAA DNS workaround (IPv6 tunnels).md b/Netflix AAAA DNS workaround (IPv6 tunnels).md
@@ -12,7 +12,7 @@ In order to maintain keeping your IPv6 tunnel active while browsing Netflix, you
 
 To implement such a workaround you'll need to have a DNS setup that can allow you to either prevent AAAA records being returned on various domain requests or conditionally forward specific Netflix domain lookups to a special DNS resolver that can strip AAAA (IPv6 addresses) records from the DNS request, essentially forcing IPv4 connections.
 
-This guide focuses on a couple of common DNS resolver setups. The concept however is pretty standard and can be applied other DNS resolver setups not covered here e.g. Unbound.
+This guide focuses on dnsmasq, but the concept can be applied to other DNS setups like unbound, bind etc.
 
 ## Netflix domains that need be specially handled
 
@@ -27,12 +27,10 @@ These are the key Netflix domains that need to be handled in a specific way. Mai
 
 Some of these domains may not have AAAA records currently, but its possible this might change in the future, so they are covered off to be future proofed.
 
-## dnsmasq
-
-With dnsmasq, you have two options:
+The two most common approaches of fixing the issue are:
 
 1. Directly prevent AAAA lookups on specific domains with specific configuration
-2. Conditionally forward such domains to another DNS resolver that strips AAAA records from lookups.
+2. Conditionally forward certain domains to another DNS resolver that strips AAAA records from lookups.
 
 ### Method #1: Return null on AAAA lookups with dnsmasq
 
@@ -58,7 +56,7 @@ If you are already running dnsmasq, this is the most simpliest method, without h
 
 ### Method #2: Conditionally forward domains to a special resolver
 
-Conditionally forwarding DNS requests for these domains to another DNS resolver. In this example, there is another DNS resolver running on localhost (likely a router or DNS server) on the non standard port udp 2053. The port number can be anything you'd like, providing no firewall is blocking it. The reason why a non standard port number is used, is to avoid a port collision. For example, you may be running DNS services on the same box.
+Conditionally forwarding DNS requests for these domains to another DNS resolver. In this example, there is another DNS resolver running on localhost (likely a router or an existing DNS server) on the non standard port udp 2053. The port number can be anything you'd like, providing no firewall is blocking it. The reason why a non standard port number is used, is to avoid a port collision. For example, you may be running DNS services on the same box.
 
 ```
 # Remove AAAA responses from Netflix DNS requests
@@ -70,7 +68,7 @@ server=/nflxvideo.net/127.0.0.1#2053
 server=/nflxso.net/127.0.0.1#2053
 ```
 
-You can host the additional DNS server anywhere you like, you can also run multiple servers if you like redundancy. Personally, I host my additional DNS resolver on my router (DD-WRT), its always on, it makes sense. You can of course also use the standard DNS port if your setup allows for it, which in this case you can simply remove the `#2053` part from each line, or choose a random port higher than 1024 for DNS traffic to go through.
+You can host the additional DNS server anywhere you like, you can also run multiple servers if you like redundancy. If you have a router with custom firmware like OpenWRT or DD-WRT, you could run it there.
 
 ## Creating a BIND DNS resolver that removes AAAA records from lookups
 
@@ -102,16 +100,6 @@ The `--enable-filter-aaaa` option must be enabled at compile time in order for t
 
 https://kb.isc.org/article/AA-00576/0/Filter-AAAA-option-in-BIND-9-.html
 
-If you want to run BIND like this on OpenWRT/DD-WRT you may have to compile the bind package yourself with this specific compile flag set, depending on your setup. 
-
-As of 08/01/2017, OpenWRT [updated the bind package](https://github.com/openwrt/packages/commit/909209e7531de2ea63f1f298adce985406d8ba08) to have this enabled by default. Entware-ng will also inherit this change on their next sync with OpenWRT sources.
-
-If you need to compile bind from source, see this excellent guide below:
-
-https://www.ploek.org/post/netflix_openwrt/
-
-Note: DD-WRT is also mostly compatible with nearly all Entware-ng packages.
-
 #### Confirming AAAA records are removed from DNS lookups
 
 Once everything is setup, you can query any of the following Netflix domains listed above against a public DNS resolver and compare the output to a query made to the special DNS resolver you've setup.

diff --git a/Netflix AAAA DNS workaround (IPv6 tunnels).md b/Netflix AAAA DNS workaround (IPv6 tunnels).md
@@ -10,13 +10,13 @@ https://help.netflix.com/en/node/277
 
 In order to maintain keeping your IPv6 tunnel active while browsing Netflix, you must force Netflix to always use IPv4 (which is likely to be using your ISP WAN gateway as normal). Despite Netflix support stating you should simply "disable" your IPv6 tunnel, this is impossible when you have a IPv6 tunnel deployed across a LAN at the router level and have servers and services running over v6 using the address space.
 
-To implement such a workaround you'll need to have a DNS setup that can allow you to conditionally forward specific Netflix domain lookups to a special DNS resolver that can strip AAAA (IPv6 addresses) records from the DNS request, essentially forcing IPv4 connections.
+To implement such a workaround you'll need to have a DNS setup that can allow you to either prevent AAAA records being returned on various domain requests or conditionally forward specific Netflix domain lookups to a special DNS resolver that can strip AAAA (IPv6 addresses) records from the DNS request, essentially forcing IPv4 connections.
 
 This guide focuses on a couple of common DNS resolver setups. The concept however is pretty standard and can be applied other DNS resolver setups not covered here e.g. Unbound.
 
-## Netflix domains that need be specifically treated
+## Netflix domains that need be specially handled
 
-These are the key Netflix domains that need to be handled in a specific way. Mainly, have any IPv6 record returned in a DNS query removed before the request happens.
+These are the key Netflix domains that need to be handled in a specific way. Mainly to have any AAAA record stripped or nulled before it is resolved and passed to the client.
 
 * netflix.com
 * netflix.net
@@ -31,12 +31,12 @@ Some of these domains may not have AAAA records currently, but its possible this
 
 With dnsmasq, you have two options:
 
-1. Directly prevent AAAA lookups on specific domains with config magic
+1. Directly prevent AAAA lookups on specific domains with specific configuration
 2. Conditionally forward such domains to another DNS resolver that strips AAAA records from lookups.
 
-### Method #1:
+### Method #1: Return null on AAAA lookups with dnsmasq
 
-The configuration below basically returns an AAAA response with a NULL address on any domains provided. The only downside to this method is you have to generate a matching server and address line for each domain. Your dnsmasq.conf could get quite long very quickly. If you have a bulk load of domains you could write a script to output the server and address lines with the domain being a variable, fed by a file or another source.
+The configuration below basically returns an AAAA response with a NULL address on any domains provided. The only downside to this method is you have to generate a matching server and address line for each domain, otherwise you will also remove A record responses, which will break. Your dnsmasq.conf could get quite long very quickly. If you have a bulk load of domains you could write a script to output the server and address lines with the domain being a variable in a loop, fed by a file or another source.
 
 ```
 # Null AAAA response on these domains
@@ -54,7 +54,9 @@ server=/nflxso.net/#
 address=/nflxso.net/::
 ```
 
-### Method #2
+If you are already running dnsmasq, this is the most simpliest method, without having to worry about additional configurations or services.
+
+### Method #2: Conditionally forward domains to a special resolver
 
 Conditionally forwarding DNS requests for these domains to another DNS resolver. In this example, there is another DNS resolver running on localhost (likely a router or DNS server) on the non standard port udp 2053. The port number can be anything you'd like, providing no firewall is blocking it. The reason why a non standard port number is used, is to avoid a port collision. For example, you may be running DNS services on the same box.
 

diff --git a/Netflix AAAA DNS workaround (IPv6 tunnels).md b/Netflix AAAA DNS workaround (IPv6 tunnels).md
@@ -36,10 +36,10 @@ With dnsmasq, you have two options:
 
 ### Method #1:
 
-This config hack, basically prevents AAAA from being returned by dnsmasq, set it, apply it. Job done. The only downside to this method is you have to generate a matching server and address for each domain. Your dnsmasq.conf could get quite long very quickly. If you have a bulk load of domains you could write a script to output the server and address lines with the domain being a variable, fed by a file or another source.
+The configuration below basically returns an AAAA response with a NULL address on any domains provided. The only downside to this method is you have to generate a matching server and address line for each domain. Your dnsmasq.conf could get quite long very quickly. If you have a bulk load of domains you could write a script to output the server and address lines with the domain being a variable, fed by a file or another source.
 
 ```
-# Restrict these domains to v4 only
+# Null AAAA response on these domains
 server=/netflix.com/#
 address=/netflix.com/::
 server=/netflix.net/#
@@ -56,7 +56,7 @@ address=/nflxso.net/::
 
 ### Method #2
 
-Conditionally forwarding DNS requests for these domains to another DNS resolver. In this example, there is another DNS resolver running on localhost (likely a router or DNS server) on the non standard port udp 2053. The port number can be anything you'd like, providing no firewall is blocking it. The reason why a non standard port number is used, is to avoid a port collision. For examaple, you may be running DNS on the same box.
+Conditionally forwarding DNS requests for these domains to another DNS resolver. In this example, there is another DNS resolver running on localhost (likely a router or DNS server) on the non standard port udp 2053. The port number can be anything you'd like, providing no firewall is blocking it. The reason why a non standard port number is used, is to avoid a port collision. For example, you may be running DNS services on the same box.
 
 ```
 # Remove AAAA responses from Netflix DNS requests

diff --git a/Netflix AAAA DNS workaround (IPv6 tunnels).md b/Netflix AAAA DNS workaround (IPv6 tunnels).md
@@ -36,9 +36,10 @@ With dnsmasq, you have two options:
 
 ### Method #1:
 
-This config hack, basically prevents AAAA from being returned by dnsmasq, set it, apply it. Job done. The only downside to this method is you have to generate a matching server and address for each domain. It can get long very quickly.
+This config hack, basically prevents AAAA from being returned by dnsmasq, set it, apply it. Job done. The only downside to this method is you have to generate a matching server and address for each domain. Your dnsmasq.conf could get quite long very quickly. If you have a bulk load of domains you could write a script to output the server and address lines with the domain being a variable, fed by a file or another source.
 
 ```
+# Restrict these domains to v4 only
 server=/netflix.com/#
 address=/netflix.com/::
 server=/netflix.net/#
@@ -55,7 +56,7 @@ address=/nflxso.net/::
 
 ### Method #2
 
-Conditionally forwarding DNS requests for these domains to another DNS resolver. In this example, there is another DNS resolver running on localhost on the none standard port udp 2053. The port number can be anything you'd like, providing no firewall is blocking it. The reason why a non standard port number is used, is to avoid a port collision. For exmaple, you may be running DNS on the same box.
+Conditionally forwarding DNS requests for these domains to another DNS resolver. In this example, there is another DNS resolver running on localhost (likely a router or DNS server) on the non standard port udp 2053. The port number can be anything you'd like, providing no firewall is blocking it. The reason why a non standard port number is used, is to avoid a port collision. For examaple, you may be running DNS on the same box.
 
 ```
 # Remove AAAA responses from Netflix DNS requests
@@ -69,7 +70,7 @@ server=/nflxso.net/127.0.0.1#2053
 
 You can host the additional DNS server anywhere you like, you can also run multiple servers if you like redundancy. Personally, I host my additional DNS resolver on my router (DD-WRT), its always on, it makes sense. You can of course also use the standard DNS port if your setup allows for it, which in this case you can simply remove the `#2053` part from each line, or choose a random port higher than 1024 for DNS traffic to go through.
 
-## Creating a BIND DNS resolver that removes AAAA records from lokkups
+## Creating a BIND DNS resolver that removes AAAA records from lookups
 
 I chose bind as it has a specific parameter `filter-aaaa-on-v4`. The example below is a very minimal configuration for bind. Its one purpose is basically to strip AAAA records from DNS lookups. It has the advantage of being domain agnostic, meaning it will strip any AAAA records from any domain passed to it. This is useful if other services other than Netflix start blocking IPv6 tunnels in a similar fashion.
 
@@ -109,7 +110,7 @@ https://www.ploek.org/post/netflix_openwrt/
 
 Note: DD-WRT is also mostly compatible with nearly all Entware-ng packages.
 
-### Confirming AAAA records are removed from DNS lookups
+#### Confirming AAAA records are removed from DNS lookups
 
 Once everything is setup, you can query any of the following Netflix domains listed above against a public DNS resolver and compare the output to a query made to the special DNS resolver you've setup.
 

diff --git a/Netflix AAAA DNS workaround (IPv6 tunnels).md b/Netflix AAAA DNS workaround (IPv6 tunnels).md
@@ -4,19 +4,19 @@
 
 ## The problem
 
-Netflix now treats IPv6 tunnel brokers (such as Hurricane Electric) as proxy servers. It became apparent to users and Netflix that somewhat by accident, IPv6 tunnel users were being served content outside of their geolocation because of the way Netflix was identifying the tunnel services and their geographical origin. The problem was further compounded by certain opportunstic indiviuals deciding to create a business model out of providing the Netflix US (and others) content library via networks like Hurricane Electric and ruined it for everyone. Netflix and friends got all stressy about it and now all IPv6 tunnel users are considered naughty proxy pirates. Also because big media is stuck in the 1990s, they think this block is actually effective, when in fact it just inconveniences legit users.
+Netflix now treats IPv6 tunnel brokers (such as Hurricane Electric) as proxy servers. It became apparent to users and Netflix that somewhat by accident, IPv6 tunnel users were being served content outside of their geolocation because of the way Netflix was identifying the tunnel services and their geographical origin. The problem was further compounded by certain opportunstic indiviuals deciding to create a business model out of providing the Netflix US (and others) content library via networks like Hurricane Electric and ruined it for everyone. Netflix and friends got all stressy about it and now all IPv6 tunnel users are considered naughty proxy pirates. Also because big media is stuck in the 1990s, they think this block is actually effective, when in fact it just inconveniences most legitimate users, that simply want IPv6 connectivity, beacause their ISP is stuck in 1995.
 
 https://help.netflix.com/en/node/277
 
-In order to maintain keeping your IPv6 tunnel active while browsing Netflix, you must force Netflix to always use IPv4 (which is likely to be using your ISP WAN gateway as normal). Despite Netflix support stating you should simply "disable" your IPv6 tunnel, this is impossible when you have a IPv6 tunnel deployed across a LAN at the router level and have servers and services running over v6.
+In order to maintain keeping your IPv6 tunnel active while browsing Netflix, you must force Netflix to always use IPv4 (which is likely to be using your ISP WAN gateway as normal). Despite Netflix support stating you should simply "disable" your IPv6 tunnel, this is impossible when you have a IPv6 tunnel deployed across a LAN at the router level and have servers and services running over v6 using the address space.
 
 To implement such a workaround you'll need to have a DNS setup that can allow you to conditionally forward specific Netflix domain lookups to a special DNS resolver that can strip AAAA (IPv6 addresses) records from the DNS request, essentially forcing IPv4 connections.
 
-This guide focuses on a setup of dnsmasq (the main DNS resolver) and bind9 (An additional resolver that strips any AAAA records from DNS lookups sent to it). The concept however is pretty standard and can be applied to setups using different software.
+This guide focuses on a couple of common DNS resolver setups. The concept however is pretty standard and can be applied other DNS resolver setups not covered here e.g. Unbound.
 
-## Dnsmasq config
+## Netflix domains that need be specifically treated
 
-These are the key Netflix domains that need to be forwarded.
+These are the key Netflix domains that need to be handled in a specific way. Mainly, have any IPv6 record returned in a DNS query removed before the request happens.
 
 * netflix.com
 * netflix.net
@@ -25,7 +25,37 @@ These are the key Netflix domains that need to be forwarded.
 * nflxext.com
 * nflxso.net
 
-Some domains may not have AAAA records currently, but its possible this might change in the future, so they are covered off to be future proofed.
+Some of these domains may not have AAAA records currently, but its possible this might change in the future, so they are covered off to be future proofed.
+
+## dnsmasq
+
+With dnsmasq, you have two options:
+
+1. Directly prevent AAAA lookups on specific domains with config magic
+2. Conditionally forward such domains to another DNS resolver that strips AAAA records from lookups.
+
+### Method #1:
+
+This config hack, basically prevents AAAA from being returned by dnsmasq, set it, apply it. Job done. The only downside to this method is you have to generate a matching server and address for each domain. It can get long very quickly.
+
+```
+server=/netflix.com/#
+address=/netflix.com/::
+server=/netflix.net/#
+address=/netflix.net/::
+server=/nflxext.com/#
+address=/nflxext.com/::
+server=/nflximg.net/#
+address=/nflximg.net/::
+server=/nflxvideo.net/#
+address=/nflxvideo.net/::
+server=/nflxso.net/#
+address=/nflxso.net/::
+```
+
+### Method #2
+
+Conditionally forwarding DNS requests for these domains to another DNS resolver. In this example, there is another DNS resolver running on localhost on the none standard port udp 2053. The port number can be anything you'd like, providing no firewall is blocking it. The reason why a non standard port number is used, is to avoid a port collision. For exmaple, you may be running DNS on the same box.
 
 ```
 # Remove AAAA responses from Netflix DNS requests
@@ -37,13 +67,13 @@ server=/nflxvideo.net/127.0.0.1#2053
 server=/nflxso.net/127.0.0.1#2053
 ```
 
-In this example, we are creating conditional forwarders for the above domains to be sent to another DNS server running on the same box, but running on a non-standard DNS port to avoid conflicting with Dnsmasq. You can host the additional DNS server anywhere you like, you can also run multiple servers if you like redundancy. Personally, I host mine on my router (DD-WRT), its always on, it makes sense. You can of course also use the standard DNS port if your setup allows for it, which in this case you can simply remove the `#2053` part from each line, or choose a random port higher than 1024 for DNS traffic to go through.
+You can host the additional DNS server anywhere you like, you can also run multiple servers if you like redundancy. Personally, I host my additional DNS resolver on my router (DD-WRT), its always on, it makes sense. You can of course also use the standard DNS port if your setup allows for it, which in this case you can simply remove the `#2053` part from each line, or choose a random port higher than 1024 for DNS traffic to go through.
 
-## bind9 config
+## Creating a BIND DNS resolver that removes AAAA records from lokkups
 
-This is a very minimal configuration for bind. Its one purpose is basically to strip AAAA records from DNS lookups. It has the advantage of being domain agnostic, meaning it will strip any AAAA records from any domain passed to it. This is useful if other services other than Netflix start blocking IPv6 tunnels in a similar fashion.
+I chose bind as it has a specific parameter `filter-aaaa-on-v4`. The example below is a very minimal configuration for bind. Its one purpose is basically to strip AAAA records from DNS lookups. It has the advantage of being domain agnostic, meaning it will strip any AAAA records from any domain passed to it. This is useful if other services other than Netflix start blocking IPv6 tunnels in a similar fashion.
 
-You can use any forwarders you like, the example below uses OpenDNS. If you are running this on an external IP address, you should be careful and make you only allow recursion on specific requests and ACL accordingly. Not doing so will make you an open DNS resolver, it won't take long for someone to start abusing your server and generating a high rate of traffic.
+You can use any forwarders you like, the example below uses OpenDNS. If you are running this on an external IP address, you should be careful and make sure you only allow recursion on specific requests and ACL accordingly. Not doing so will make you an open DNS resolver, it won't take long for someone to start abusing your server and generating a high rate of traffic.
 
 ```
 options {
@@ -85,7 +115,7 @@ Once everything is setup, you can query any of the following Netflix domains lis
 
 ##### An AAAA DNS request made via Google Public DNS
 
-Google's public DNS servers will always return AAAA records, this is what it would look like:
+Google's public DNS servers will always return AAAA records, this is what a request to `netflix.com` will mostly look like:
 
 ```
 dig @8.8.8.8 netflix.com AAAA
@@ -120,7 +150,7 @@ netflix.com.            59      IN      AAAA    2620:108:700f::36d6:1699
 
 #### An AAAA DNS request made via the BIND DNS server we setup
 
-Making the same request to our bind9 server, we should get no AAAA records returned even we explicitly requesting them.
+Making the same request to our primary DNS resolver that has been configured to treat Netflix domains differently, we should get no AAAA records returned, even if we explicitly request them.
 
 ```
 dig @127.0.0.1 netflix.com AAAA
@@ -143,7 +173,7 @@ dig @127.0.0.1 netflix.com AAAA
 ;; MSG SIZE  rcvd: 40
 ```
 
-If you get no AAAA records returned on your DNS resolver, your in business. Future Netflix connections should now only use IPv4. You may want to reboot your router or device supplying DNS in order to clear existing/cached lookups. If you performed a DNS lookup for a Netflix domain with AAAA records recently prior to implementing this workaround, it may still be cached and can take a bit of time for changes to be reflected on client machines on the network.
+If you get no AAAA records returned on your DNS resolver with Netflix queries, your in business. Future Netflix connections should now only use IPv4. You may want to reboot your router or device supplying DNS in order to clear existing/cached lookups. If you performed a DNS lookup for a Netflix domain with AAAA records recently prior to implementing this workaround, it may still be cached and can take a bit of time for changes to be reflected on client machines on the network.
 
 If you get issues like timeouts, check to make sure the DNS server is actually running and your firewall is permitting the DNS traffic, especially if using a non-standard port for DNS traffic.
 
@@ -158,7 +188,14 @@ iptables -I FORWARD --destination 8.8.8.8 -j REJECT
 iptables -I FORWARD --destination 8.8.4.4 -j REJECT
 ```
 
-REJECT is a bit more friendly than DROP in this case, as the "fail" response will be quicker.
+In addition, some Google devices may also make v6 DNS lookup requests to Google's public DNS servers, you may have to also block this traffic as well:
+
+```
+ip6tables -I FORWARD --destination 2001:4860:4860::8844 -j REJECT
+ip6tables -I FORWARD --destination 2001:4860:4860::8888 -j REJECT
+```
+
+REJECT is a bit more friendly than DROP in this case, as the "fail" response will be quicker. You want the request to fail quickly in this case. You'd use `DROP` if someone was port knocking and want to slow down their efforts of obtaining open ports.
 
 If you happen to use Google's DNS resolvers at the network level for general DNS queries you can limit this block to the IP address of your Chromecast device with the `-s` option, allowing you to use Google's DNS resolvers for other devices still. This would require you to use static DHCP in order to create a fixed LAN IP address for any Chromecast devices you have, so you know where they are on the network.
 

diff --git a/Netflix AAAA DNS workaround (IPv6 tunnels).md b/Netflix AAAA DNS workaround (IPv6 tunnels).md
@@ -162,15 +162,17 @@ REJECT is a bit more friendly than DROP in this case, as the "fail" response wil
 
 If you happen to use Google's DNS resolvers at the network level for general DNS queries you can limit this block to the IP address of your Chromecast device with the `-s` option, allowing you to use Google's DNS resolvers for other devices still. This would require you to use static DHCP in order to create a fixed LAN IP address for any Chromecast devices you have, so you know where they are on the network.
 
-However, there are several reports that some Google based devices like Android tablets don't seem to like having the Google public DNS resolvers sinkholed. If you experience problems like streaming with devices like Chromecasts, Google tablets etc. after blocking Google DNS requests you might want to instead intercept the requests, rather than block them. This can also be achieved via `iptables`:
+##### Intercepting Google DNS traffic, rather than blocking
+
+There are several reports that some Google based devices like Android tablets don't seem to like having the Google public DNS resolvers sinkholed. If you experience problems streaming with devices like Chromecasts, Google tablets etc. after blocking Google DNS requests, you might want to instead intercept the requests rather than block them. This can also be achieved via `iptables`:
 
 ```
 iptables -t nat -A PREROUTING -s 192.168.x.x/24 -d 8.8.8.8 -p udp --dport 53 -j DNAT --to 192.168.x.x
 iptables -t nat -A PREROUTING -s 192.168.x.x/24 -d 8.8.4.4 -p udp --dport 53 -j DNAT --to 192.168.x.x
 ```
 
-* 192.168.x.x/24 - Range of your LAN
-* 192.168.x.x - The device that is running DNS i.e. router
+* 192.168.x.x/24 - Range of your LAN, example: `192.168.1.0/24`
+* 192.168.x.x - The device that is running DNS i.e. router `192.168.1.1`
 
 This method essentially allows DNS requests to `8.8.8.8` or `8.8.4.4`, but the request itself will be intercepted and actually resolved by a DNS server of the users choosing, alebit transparently. You can run the Google DNS test example if you apply this method and confirm that no AAAA records are returned, because the DNS server used was actually something else.
 

diff --git a/Netflix AAAA DNS workaround (IPv6 tunnels).md b/Netflix AAAA DNS workaround (IPv6 tunnels).md
@@ -162,7 +162,7 @@ REJECT is a bit more friendly than DROP in this case, as the "fail" response wil
 
 If you happen to use Google's DNS resolvers at the network level for general DNS queries you can limit this block to the IP address of your Chromecast device with the `-s` option, allowing you to use Google's DNS resolvers for other devices still. This would require you to use static DHCP in order to create a fixed LAN IP address for any Chromecast devices you have, so you know where they are on the network.
 
-However, there are several reports that some Google based devices like Android tablets don't seem to like sinkholing Google public DNS requests entirely, so if you have problems with devices like Chromecasts, Google tablets etc after blocking Google DNS requests you might want to instead intercept the requests, rather than block them. This can also be achieved via `iptables`
+However, there are several reports that some Google based devices like Android tablets don't seem to like having the Google public DNS resolvers sinkholed. If you experience problems like streaming with devices like Chromecasts, Google tablets etc. after blocking Google DNS requests you might want to instead intercept the requests, rather than block them. This can also be achieved via `iptables`:
 
 ```
 iptables -t nat -A PREROUTING -s 192.168.x.x/24 -d 8.8.8.8 -p udp --dport 53 -j DNAT --to 192.168.x.x
@@ -174,7 +174,7 @@ iptables -t nat -A PREROUTING -s 192.168.x.x/24 -d 8.8.4.4 -p udp --dport 53 -j
 
 This method essentially allows DNS requests to `8.8.8.8` or `8.8.4.4`, but the request itself will be intercepted and actually resolved by a DNS server of the users choosing, alebit transparently. You can run the Google DNS test example if you apply this method and confirm that no AAAA records are returned, because the DNS server used was actually something else.
 
-DNS typically uses UDP for most DNS requests, but there are circumstances where TCP is used as well, however, it is unlikely any Google DNS request will be using TCP, hence why the rules above only target UDP and should be fine for this purpose.
+DNS traffic is typically UDP based, but there are circumstances where TCP is used as well, however, it is unlikely any Google DNS request will be using TCP, hence why the rules above only target UDP and should be fine for this purpose.
 
 Thanks @seiferma for the report and testing this scenario! Additionally, vertified and tested by myself. (25/06/2017)
 

diff --git a/Netflix AAAA DNS workaround (IPv6 tunnels).md b/Netflix AAAA DNS workaround (IPv6 tunnels).md
@@ -149,7 +149,7 @@ If you get issues like timeouts, check to make sure the DNS server is actually r
 
 ### Streaming issues with Google Chromecast/Android devices
 
-Devices like Google Chromecast don't allow direct control of the DNS servers used and always try to use Google's Public DNS resolvers of 8.8.8.8 and 8.8.4.4, these of course will return AAAA records and cause issues when streaming Netflix (even if you have implemented this workaround on the network the stream activity is running on). You can however leverage a fallback option built into Chromecast devices (and possibly other Google devices), where by if you block access to the Google Public DNS resolvers, it forces the Chromecast device to use the DHCP supplied DNS information and hence the DNS workaround will work.
+Devices like Google Chromecast don't allow direct control of the DNS servers used and always try to use Google's Public DNS resolvers of `8.8.8.8` and `8.8.4.4`, these of course will return AAAA records and cause issues when streaming Netflix (even if you have implemented this workaround on the network the stream activity is running on). You can however leverage a fallback option built into Chromecast devices (and possibly other Google devices), where by if you block access to the Google Public DNS resolvers, it forces the Chromecast device to use the DHCP supplied DNS information and hence the DNS workaround will work.
 
 An example of doing this with `iptables`:
 
@@ -162,7 +162,7 @@ REJECT is a bit more friendly than DROP in this case, as the "fail" response wil
 
 If you happen to use Google's DNS resolvers at the network level for general DNS queries you can limit this block to the IP address of your Chromecast device with the `-s` option, allowing you to use Google's DNS resolvers for other devices still. This would require you to use static DHCP in order to create a fixed LAN IP address for any Chromecast devices you have, so you know where they are on the network.
 
-Some Google based devices like tablets don't seem to like sinkholing Google public DNS requests entirely, so if have problems with devices like Chromecasts, Google tablets etc, you might want to instead intercept the requests, rather than block them.
+However, there are several reports that some Google based devices like Android tablets don't seem to like sinkholing Google public DNS requests entirely, so if you have problems with devices like Chromecasts, Google tablets etc after blocking Google DNS requests you might want to instead intercept the requests, rather than block them. This can also be achieved via `iptables`
 
 ```
 iptables -t nat -A PREROUTING -s 192.168.x.x/24 -d 8.8.8.8 -p udp --dport 53 -j DNAT --to 192.168.x.x
@@ -172,7 +172,11 @@ iptables -t nat -A PREROUTING -s 192.168.x.x/24 -d 8.8.4.4 -p udp --dport 53 -j
 * 192.168.x.x/24 - Range of your LAN
 * 192.168.x.x - The device that is running DNS i.e. router
 
-Thanks @seiferma for the report and testing scenario!
+This method essentially allows DNS requests to `8.8.8.8` or `8.8.4.4`, but the request itself will be intercepted and actually resolved by a DNS server of the users choosing, alebit transparently. You can run the Google DNS test example if you apply this method and confirm that no AAAA records are returned, because the DNS server used was actually something else.
+
+DNS typically uses UDP for most DNS requests, but there are circumstances where TCP is used as well, however, it is unlikely any Google DNS request will be using TCP, hence why the rules above only target UDP and should be fine for this purpose.
+
+Thanks @seiferma for the report and testing this scenario! Additionally, vertified and tested by myself. (25/06/2017)
 
 **Enjoy your Netflix again!**
 

diff --git a/Netflix AAAA DNS workaround (IPv6 tunnels).md b/Netflix AAAA DNS workaround (IPv6 tunnels).md
@@ -147,9 +147,9 @@ If you get no AAAA records returned on your DNS resolver, your in business. Futu
 
 If you get issues like timeouts, check to make sure the DNS server is actually running and your firewall is permitting the DNS traffic, especially if using a non-standard port for DNS traffic.
 
-### Streaming issues with Chromecast devices
+### Streaming issues with Google Chromecast/Android devices
 
-Chromecast devices don't allow direct control of the DNS servers used and always try to use Google's Public DNS resolvers of 8.8.8.8 and 8.8.4.4, these of course will return AAAA records and cause issues when streaming Netflix (even if you have implemented this workaround on the network the stream is coming from). You can however leverage a fallback option built into Chromecast devices, where by if you block access to the Google Public DNS resolvers, it forces the Chromecast device to use the DHCP supplied DNS information and hence the DNS workaround will work.
+Devices like Google Chromecast don't allow direct control of the DNS servers used and always try to use Google's Public DNS resolvers of 8.8.8.8 and 8.8.4.4, these of course will return AAAA records and cause issues when streaming Netflix (even if you have implemented this workaround on the network the stream activity is running on). You can however leverage a fallback option built into Chromecast devices (and possibly other Google devices), where by if you block access to the Google Public DNS resolvers, it forces the Chromecast device to use the DHCP supplied DNS information and hence the DNS workaround will work.
 
 An example of doing this with `iptables`:
 
@@ -162,6 +162,18 @@ REJECT is a bit more friendly than DROP in this case, as the "fail" response wil
 
 If you happen to use Google's DNS resolvers at the network level for general DNS queries you can limit this block to the IP address of your Chromecast device with the `-s` option, allowing you to use Google's DNS resolvers for other devices still. This would require you to use static DHCP in order to create a fixed LAN IP address for any Chromecast devices you have, so you know where they are on the network.
 
+Some Google based devices like tablets don't seem to like sinkholing Google public DNS requests entirely, so if have problems with devices like Chromecasts, Google tablets etc, you might want to instead intercept the requests, rather than block them.
+
+```
+iptables -t nat -A PREROUTING -s 192.168.x.x/24 -d 8.8.8.8 -p udp --dport 53 -j DNAT --to 192.168.x.x
+iptables -t nat -A PREROUTING -s 192.168.x.x/24 -d 8.8.4.4 -p udp --dport 53 -j DNAT --to 192.168.x.x
+```
+
+* 192.168.x.x/24 - Range of your LAN
+* 192.168.x.x - The device that is running DNS i.e. router
+
+Thanks @seiferma for the report and testing scenario!
+
 **Enjoy your Netflix again!**
 
 ### Extra Q&A bit

diff --git a/Netflix AAAA DNS workaround (IPv6 tunnels).md b/Netflix AAAA DNS workaround (IPv6 tunnels).md
@@ -23,6 +23,7 @@ These are the key Netflix domains that need to be forwarded.
 * nflxvideo.net
 * nflximg.net
 * nflxext.com
+* nflxso.net
 
 Some domains may not have AAAA records currently, but its possible this might change in the future, so they are covered off to be future proofed.
 
@@ -33,6 +34,7 @@ server=/netflix.net/127.0.0.1#2053
 server=/nflxext.com/127.0.0.1#2053
 server=/nflximg.com/127.0.0.1#2053
 server=/nflxvideo.net/127.0.0.1#2053
+server=/nflxso.net/127.0.0.1#2053
 ```
 
 In this example, we are creating conditional forwarders for the above domains to be sent to another DNS server running on the same box, but running on a non-standard DNS port to avoid conflicting with Dnsmasq. You can host the additional DNS server anywhere you like, you can also run multiple servers if you like redundancy. Personally, I host mine on my router (DD-WRT), its always on, it makes sense. You can of course also use the standard DNS port if your setup allows for it, which in this case you can simply remove the `#2053` part from each line, or choose a random port higher than 1024 for DNS traffic to go through.

diff --git a/Netflix AAAA DNS workaround (IPv6 tunnels).md b/Netflix AAAA DNS workaround (IPv6 tunnels).md
@@ -4,7 +4,7 @@
 
 ## The problem
 
-Netflix now treats IPv6 tunnel brokers (such as Hurricane Electric) as proxy servers. It became apparent to users and Netflix that somewhat by accident, IPv6 tunnel users were being served content outside of their geolocation because of the way Netflix was identifying the tunnel services and their geographical origin. The problem was further compounded by certain opportunstic indiviuals deciding to create a business model out of providing the Netflix US content library via networks like Hurricane Electric and ruined it for everyone. Netflix and friends got all stressy about it and now all IPv6 tunnel users are considered naughty proxy pirates. Also because big media is stuck in the 1990s, they think this block is actually effective, when in fact it just inconveniences legit users.
+Netflix now treats IPv6 tunnel brokers (such as Hurricane Electric) as proxy servers. It became apparent to users and Netflix that somewhat by accident, IPv6 tunnel users were being served content outside of their geolocation because of the way Netflix was identifying the tunnel services and their geographical origin. The problem was further compounded by certain opportunstic indiviuals deciding to create a business model out of providing the Netflix US (and others) content library via networks like Hurricane Electric and ruined it for everyone. Netflix and friends got all stressy about it and now all IPv6 tunnel users are considered naughty proxy pirates. Also because big media is stuck in the 1990s, they think this block is actually effective, when in fact it just inconveniences legit users.
 
 https://help.netflix.com/en/node/277
 

diff --git a/Netflix AAAA DNS workaround (IPv6 tunnels).md b/Netflix AAAA DNS workaround (IPv6 tunnels).md
@@ -1,6 +1,6 @@
 # Netflix AAAA DNS Workaround (IPv6 Tunnels)
 
-*This gist was essentially created out of my own [rant about Netflix being hostile to IPv6 tunnel services since June 2016](https://blog.jmwhite.co.uk/2016/06/12/netflix-starts-blocking-ipv6-tunnels/). You are welcome to read my opinion on the matter, this is the more technical side to the issue and how to combat it within your own network*
+*This gist was essentially created out of my own [rant about Netflix being hostile to IPv6 tunnel services since June 2016](https://blog.jmwhite.co.uk/2016/06/12/netflix-starts-blocking-ipv6-tunnels/). You are welcome to read my opinion on the matter, this is the more technical side to the issue and how to combat it within your own network.*
 
 ## The problem
 

diff --git a/Netflix AAAA DNS workaround (IPv6 tunnels).md b/Netflix AAAA DNS workaround (IPv6 tunnels).md
@@ -1,6 +1,6 @@
 # Netflix AAAA DNS Workaround (IPv6 Tunnels)
 
-*This gist was essentially created out of my own (https://blog.jmwhite.co.uk/2016/06/12/netflix-starts-blocking-ipv6-tunnels/)[rant about Netflix being hostile to IPv6 tunnel services since June 2016]. You are welcome to read my opinion on the matter, this is the more technical side to the issue and how to combat it within your own network*
+*This gist was essentially created out of my own [rant about Netflix being hostile to IPv6 tunnel services since June 2016](https://blog.jmwhite.co.uk/2016/06/12/netflix-starts-blocking-ipv6-tunnels/). You are welcome to read my opinion on the matter, this is the more technical side to the issue and how to combat it within your own network*
 
 ## The problem
 
@@ -69,7 +69,7 @@ https://kb.isc.org/article/AA-00576/0/Filter-AAAA-option-in-BIND-9-.html
 
 If you want to run BIND like this on OpenWRT/DD-WRT you may have to compile the bind package yourself with this specific compile flag set, depending on your setup. 
 
-As of 08/01/2017, OpenWRT (https://github.com/openwrt/packages/commit/909209e7531de2ea63f1f298adce985406d8ba08)[updated the bind package] to have this enabled by default. Entware-ng will also inherit this change on their next sync with OpenWRT sources.
+As of 08/01/2017, OpenWRT [updated the bind package](https://github.com/openwrt/packages/commit/909209e7531de2ea63f1f298adce985406d8ba08) to have this enabled by default. Entware-ng will also inherit this change on their next sync with OpenWRT sources.
 
 If you need to compile bind from source, see this excellent guide below:
 

diff --git a/Netflix AAAA DNS workaround (IPv6 tunnels).md b/Netflix AAAA DNS workaround (IPv6 tunnels).md
@@ -1,6 +1,6 @@
 # Netflix AAAA DNS Workaround (IPv6 Tunnels)
 
-*This gist was essentially created out of my own (https://blog.jmwhite.co.uk/2016/06/12/netflix-starts-blocking-ipv6-tunnels/)[rant about Netflix being hostile to IPv6 tunnel services since June 2016]. You are welcome to read my opinion on the matter, this is the more technical side to the issue and how to combat it within your own network
+*This gist was essentially created out of my own (https://blog.jmwhite.co.uk/2016/06/12/netflix-starts-blocking-ipv6-tunnels/)[rant about Netflix being hostile to IPv6 tunnel services since June 2016]. You are welcome to read my opinion on the matter, this is the more technical side to the issue and how to combat it within your own network*
 
 ## The problem
 

diff --git a/Netflix AAAA DNS workaround (IPv6 tunnels).md b/Netflix AAAA DNS workaround (IPv6 tunnels).md
@@ -1,10 +1,14 @@
 # Netflix AAAA DNS Workaround (IPv6 Tunnels)
 
-Netflix treats IPv6 tunnel brokers such as Hurricane Electric as proxy servers. Mainly because someone decided to create a business model out of providing the US content library via the HE.net network and ruined it for everyone. Netflix and friends got all stressy about it and now all IPv6 tunnel users are considered naughty proxy pirates. Also because big media is stuck in the 1990s, they think this block is actually effective, when in fact it just inconveniences legit users.
+*This gist was essentially created out of my own (https://blog.jmwhite.co.uk/2016/06/12/netflix-starts-blocking-ipv6-tunnels/)[rant about Netflix being hostile to IPv6 tunnel services since June 2016]. You are welcome to read my opinion on the matter, this is the more technical side to the issue and how to combat it within your own network
+
+## The problem
+
+Netflix now treats IPv6 tunnel brokers (such as Hurricane Electric) as proxy servers. It became apparent to users and Netflix that somewhat by accident, IPv6 tunnel users were being served content outside of their geolocation because of the way Netflix was identifying the tunnel services and their geographical origin. The problem was further compounded by certain opportunstic indiviuals deciding to create a business model out of providing the Netflix US content library via networks like Hurricane Electric and ruined it for everyone. Netflix and friends got all stressy about it and now all IPv6 tunnel users are considered naughty proxy pirates. Also because big media is stuck in the 1990s, they think this block is actually effective, when in fact it just inconveniences legit users.
 
 https://help.netflix.com/en/node/277
 
-In order to maintain keeping your IPv6 tunnel active while browsing Netflix, you must force Netflix to always use IPv4 (which is likely to be using your ISP WAN gateway as normal). Despite Netflix support stating you should simply "disable" your IPv6 tunnel, this is impossible when you have a IPv6 tunnel deployed across a LAN at the router level.
+In order to maintain keeping your IPv6 tunnel active while browsing Netflix, you must force Netflix to always use IPv4 (which is likely to be using your ISP WAN gateway as normal). Despite Netflix support stating you should simply "disable" your IPv6 tunnel, this is impossible when you have a IPv6 tunnel deployed across a LAN at the router level and have servers and services running over v6.
 
 To implement such a workaround you'll need to have a DNS setup that can allow you to conditionally forward specific Netflix domain lookups to a special DNS resolver that can strip AAAA (IPv6 addresses) records from the DNS request, essentially forcing IPv4 connections.
 
@@ -65,7 +69,7 @@ https://kb.isc.org/article/AA-00576/0/Filter-AAAA-option-in-BIND-9-.html
 
 If you want to run BIND like this on OpenWRT/DD-WRT you may have to compile the bind package yourself with this specific compile flag set, depending on your setup. 
 
-As of 08/01/2017, OpenWRT [https://github.com/openwrt/packages/commit/909209e7531de2ea63f1f298adce985406d8ba08](updated the bind package) to have this enabled by default. Entware-ng will also inherit this change on their next sync with OpenWRT sources.
+As of 08/01/2017, OpenWRT (https://github.com/openwrt/packages/commit/909209e7531de2ea63f1f298adce985406d8ba08)[updated the bind package] to have this enabled by default. Entware-ng will also inherit this change on their next sync with OpenWRT sources.
 
 If you need to compile bind from source, see this excellent guide below:
 

diff --git a/Netflix AAAA DNS workaround (IPv6 tunnels).md b/Netflix AAAA DNS workaround (IPv6 tunnels).md
@@ -63,21 +63,23 @@ The `--enable-filter-aaaa` option must be enabled at compile time in order for t
 
 https://kb.isc.org/article/AA-00576/0/Filter-AAAA-option-in-BIND-9-.html
 
-If you want to run BIND like this on OpenWRT/DD-WRT you may have to compile the bind package yourself with this specific compile flag set, depending on your setup. As of 08/01/2017, OpenWRT updated the BIND package to have this enabled by default https://github.com/openwrt/packages/commit/909209e7531de2ea63f1f298adce985406d8ba08. Entware-ng will also inherit this change on their next sync with OpenWRT sources.
+If you want to run BIND like this on OpenWRT/DD-WRT you may have to compile the bind package yourself with this specific compile flag set, depending on your setup. 
 
-You can find a guide on compiling BIND from source for OpenWRT/Entware below:
+As of 08/01/2017, OpenWRT [https://github.com/openwrt/packages/commit/909209e7531de2ea63f1f298adce985406d8ba08](updated the bind package) to have this enabled by default. Entware-ng will also inherit this change on their next sync with OpenWRT sources.
+
+If you need to compile bind from source, see this excellent guide below:
 
 https://www.ploek.org/post/netflix_openwrt/
 
-DD-WRT can also use Entware-ng packages.
+Note: DD-WRT is also mostly compatible with nearly all Entware-ng packages.
 
 ### Confirming AAAA records are removed from DNS lookups
 
 Once everything is setup, you can query any of the following Netflix domains listed above against a public DNS resolver and compare the output to a query made to the special DNS resolver you've setup.
 
 ##### An AAAA DNS request made via Google Public DNS
 
-Google's public DNS servers will always return AAAA records, this is what this looks like:
+Google's public DNS servers will always return AAAA records, this is what it would look like:
 
 ```
 dig @8.8.8.8 netflix.com AAAA
@@ -112,7 +114,7 @@ netflix.com.            59      IN      AAAA    2620:108:700f::36d6:1699
 
 #### An AAAA DNS request made via the BIND DNS server we setup
 
-Making the same request to our bind9 server, we should get no AAAA records returned.
+Making the same request to our bind9 server, we should get no AAAA records returned even we explicitly requesting them.
 
 ```
 dig @127.0.0.1 netflix.com AAAA
@@ -154,7 +156,7 @@ REJECT is a bit more friendly than DROP in this case, as the "fail" response wil
 
 If you happen to use Google's DNS resolvers at the network level for general DNS queries you can limit this block to the IP address of your Chromecast device with the `-s` option, allowing you to use Google's DNS resolvers for other devices still. This would require you to use static DHCP in order to create a fixed LAN IP address for any Chromecast devices you have, so you know where they are on the network.
 
-**Enjoy your Netflix again.**
+**Enjoy your Netflix again!**
 
 ### Extra Q&A bit
 

diff --git a/Netflix AAAA DNS workaround (IPv6 tunnels).md b/Netflix AAAA DNS workaround (IPv6 tunnels).md
@@ -162,9 +162,9 @@ In case you have any questions about the purpose/reasons for this workaround, he
 
 **Q. Will I be able to stop using this workaround at some point?**
 
-A. Once your ISP provides a native IPv6 subnet to you, disable the tunnel and use the IPv6 subnet delegated to you by your ISP (likely a /56 or something similar). To clarify, Netflix is only blocking IPv6 tunnels because it cannot fully confirm your exact country of origin and sees any usage of a IPv6 tunnel as a way of circumventing geo-restrcitions on content that is licensed to specific countries, despite this being the intention or not. In the case of Hurricane Electric, while it operates tunnels in loads of different countries, the IPv6 address space they have ultimately identifies as US to a lot of geo based systems concerning IPv6.
+A. Once your ISP provides a native IPv6 subnet to you, you can disable your IPv6 tunnel and use the IPv6 subnet delegated to you by your ISP (likely a /56 or something similar).
 
-Bonus fact: IPv6 geo detection can be very inaccurate.
+To clarify, Netflix is only blocking IPv6 tunnels because it cannot fully confirm your exact country of origin and sees any usage of a IPv6 tunnel as a way of circumventing geo-restrcitions on content that is licensed to specific countries, despite this being the intention or not. In the case of Hurricane Electric, while it operates tunnels in loads of different countries, the IPv6 address space they have ultimately identifies as US to a lot of geo based systems concerning IPv6. This problem however is now redundant as Netflix has now straight blocked the IPv6 ranges of various IPv6 tunnel services.
 
 **Q. Will Netflix block my actual ISP?**
 

diff --git a/Netflix AAAA DNS workaround (IPv6 tunnels).md b/Netflix AAAA DNS workaround (IPv6 tunnels).md
@@ -1,6 +1,6 @@
 # Netflix AAAA DNS Workaround (IPv6 Tunnels)
 
-Netflix treats IPv6 tunnel brokers such as Hurricane Electric or SixXS as proxy servers. Mainly because some scrub decided to create a business model out of providing the US content library via the HE.net network and ruined it for everyone. Netflix and friends got all stressy about it and now all IPv6 tunnel users are considered naughty proxy pirates. Also because big media is stuck in the 1990s, they think this block is actually effective, when in fact it just inconveniences legit users.
+Netflix treats IPv6 tunnel brokers such as Hurricane Electric as proxy servers. Mainly because someone decided to create a business model out of providing the US content library via the HE.net network and ruined it for everyone. Netflix and friends got all stressy about it and now all IPv6 tunnel users are considered naughty proxy pirates. Also because big media is stuck in the 1990s, they think this block is actually effective, when in fact it just inconveniences legit users.
 
 https://help.netflix.com/en/node/277
 
@@ -69,14 +69,16 @@ You can find a guide on compiling BIND from source for OpenWRT/Entware below:
 
 https://www.ploek.org/post/netflix_openwrt/
 
-DD-WRT can use Entware packages also.
+DD-WRT can also use Entware-ng packages.
 
 ### Confirming AAAA records are removed from DNS lookups
 
 Once everything is setup, you can query any of the following Netflix domains listed above against a public DNS resolver and compare the output to a query made to the special DNS resolver you've setup.
 
 ##### An AAAA DNS request made via Google Public DNS
 
+Google's public DNS servers will always return AAAA records, this is what this looks like:
+
 ```
 dig @8.8.8.8 netflix.com AAAA
  
@@ -110,6 +112,8 @@ netflix.com.            59      IN      AAAA    2620:108:700f::36d6:1699
 
 #### An AAAA DNS request made via the BIND DNS server we setup
 
+Making the same request to our bind9 server, we should get no AAAA records returned.
+
 ```
 dig @127.0.0.1 netflix.com AAAA
  

diff --git a/Netflix AAAA DNS workaround (IPv6 tunnels).md b/Netflix AAAA DNS workaround (IPv6 tunnels).md
@@ -158,15 +158,21 @@ In case you have any questions about the purpose/reasons for this workaround, he
 
 **Q. Will I be able to stop using this workaround at some point?**
 
-A. Once your ISP provides a native IPv6 subnet to you, disable the tunnel and use the IPv6 subnet delegated to you by your ISP (likely a /56 or something similar). To clarify, Netflix is only blocking IPv6 tunnels because it cannot fully confirm your exact country of origin and sees any usage of a IPv6 tunnel as a way of circumventing geo-restrcitions on content that is licensed to specific countries. When you use your actual ISPs connection, you'll essentially be on whitelist as Netflix won't block the IPv4/IPv6 of a registered residental/business ISP as its server locations will be fixed and registered, unless its a known VPN/Proxy service, which in this case will most likely be on the blocklist.
+A. Once your ISP provides a native IPv6 subnet to you, disable the tunnel and use the IPv6 subnet delegated to you by your ISP (likely a /56 or something similar). To clarify, Netflix is only blocking IPv6 tunnels because it cannot fully confirm your exact country of origin and sees any usage of a IPv6 tunnel as a way of circumventing geo-restrcitions on content that is licensed to specific countries, despite this being the intention or not. In the case of Hurricane Electric, while it operates tunnels in loads of different countries, the IPv6 address space they have ultimately identifies as US to a lot of geo based systems concerning IPv6.
+
+Bonus fact: IPv6 geo detection can be very inaccurate.
+
+**Q. Will Netflix block my actual ISP?**
+
+A. No. When you use your ISPs connection, the IP address you connect from will essentially be on whitelist as Netflix won't block the IPv4/IPv6 space of a registered residental/business ISP as its server locations will be fixed and registered. The exception to this is known VPN/proxy services, these are being added to Netflix's blocklists and it gets updated regularly.
 
 **Q. How does this workaround work?**
 
-A. Essentially when a request is sent to Netflix, a IPv6 connectivity test is done to confirm if you can use their IPv6 network. Remeber, the default protocol behaviour is to try IPv6 first. We are essentially fooling Netflix into making all requests use their IPv4 network, because we stripped any AAAA records from such requests, making it look like we only have IPv4 connectivity. Sneaky, yet effective. Netflix traffic goes over IPv4, while you get to keep your IPv6 connectivity for everything else and be part of the slowly rising IPv6 traffic level of the world. Bonus!
+A. Essentially when a request is sent to Netflix, a IPv6 connectivity test is done to confirm if you can use their IPv6 network. Remeber, the default protocol behaviour is to try IPv6 first (happy eyeballs). We are essentially fooling Netflix into making all requests use their IPv4 network, because we stripped any AAAA records from such requests, making it look like we only have IPv4 connectivity. Sneaky, yet effective. Netflix traffic goes over IPv4, while you get to keep your IPv6 connectivity for everything else and be part of the slowly rising IPv6 traffic level of the world. Bonus!
 
 **Q. Will this workaround stop working in the future?**
 
-A. It should be pretty robust, but if Netflix introduce a new domain not covered in the list above that has some form of IPv6 connectivity, which then determines Proxy/VPN usage, it may have to be expanded, I have personally used this workaround since June 2016 and it hasn't let me down yet. To be fair this block has been implemented for sometime now, which should satisfy big media, if Netflix further tinker with it, it's just going to become a game of cat and mouse.
+A. It should be pretty robust, but if Netflix introduce a new domain not covered in the list above that has some form of IPv6 connectivity, which then determines proxy/VPN usage, it may have to be expanded, I have personally used this workaround since June 2016 and it hasn't let me down yet. To be fair this block has been implemented for sometime now, which should satisfy big media, if Netflix further tinker with it, it's just going to become a game of cat and mouse.
 
 **Q. Does this workaround allow me to bypass geo-restrictions?**
 
@@ -176,15 +182,15 @@ A. No. It is simply designed to allow connectivity to Netflix, while having an I
 
 A. Probably not, they were likely pressured into it in the first place by media companies and license holders. Netflix probably don't care that much either, as long as your paying your monthly subscription. Big media didn't like it though! Hence the ban hammer. Its also worth noting that IPv6 tunnel services are transitional mechanisms and shouldn't be a permanent solution for IPv6. Hassle your ISP to sort out their IPv6 (or lack of!).
 
-**Q. Do any Proxy/VPN services still work with Netflix?**
+**Q. Do any proxy/VPN services still work with Netflix?**
 
 A. There are likely some services that might still work, but they are likely operating on borrowed time, as Netflix will be monitoring and updating their blocklists regularly. Most of the well known proxy/VPN services will be blocked for sure.
 
 **Q. Can I forward other non-Netflix domains using this method?**
 
 A. Yes. The way the bind9 config is setup is basically to strip any AAAA records from domains passed to it. It is not limited to Netflix domains. You just need to let your primary DNS server/resolver (in this example, Dnsmasq) know to forward it to somewhere else. This is the main reason why I'd recommend going the slightly more technical route for more benefits with bind9. Its an even better solution if you already run a bind9 DNS server and simply can create conditional forwarders directly on your primary bind9 servers, but that's not an essential requirement, as explained above.
 
-For a real non-Netflix example, mega.co.nz or mega.nz will not work over v6 via Hurricane Electric because MEGA uses Cogent to carry IPv6 traffic, which lacks any route to the Hurricane Electric network. See this thread on the HE forums: https://forums.he.net/index.php?topic=3530.0 about the whole HE vs Cogent saga. Using this workaround for MEGA domains will allow you to access the service, because IPv4 will essentially be forced.
+For a real non-Netflix example, mega.co.nz or mega.nz will not work over v6 via Hurricane Electric because MEGA uses Cogent to carry their IPv6 traffic, which lacks any route to the Hurricane Electric network. See this thread on the HE forums: https://forums.he.net/index.php?topic=3530.0 about the whole HE vs Cogent saga. Using this workaround for MEGA domains will allow you to access the service, because IPv4 will essentially be forced.
 
 **Q. I'm not able to run bind9, are there any alternatives?**
 

diff --git a/Netflix AAAA DNS workaround (IPv6 tunnels).md b/Netflix AAAA DNS workaround (IPv6 tunnels).md
@@ -176,24 +176,24 @@ A. No. It is simply designed to allow connectivity to Netflix, while having an I
 
 A. Probably not, they were likely pressured into it in the first place by media companies and license holders. Netflix probably don't care that much either, as long as your paying your monthly subscription. Big media didn't like it though! Hence the ban hammer. Its also worth noting that IPv6 tunnel services are transitional mechanisms and shouldn't be a permanent solution for IPv6. Hassle your ISP to sort out their IPv6 (or lack of!).
 
-**Q. Do any Proxy/VPN services still work with Netflix**
+**Q. Do any Proxy/VPN services still work with Netflix?**
 
 A. There are likely some services that might still work, but they are likely operating on borrowed time, as Netflix will be monitoring and updating their blocklists regularly. Most of the well known proxy/VPN services will be blocked for sure.
 
 **Q. Can I forward other non-Netflix domains using this method?**
 
 A. Yes. The way the bind9 config is setup is basically to strip any AAAA records from domains passed to it. It is not limited to Netflix domains. You just need to let your primary DNS server/resolver (in this example, Dnsmasq) know to forward it to somewhere else. This is the main reason why I'd recommend going the slightly more technical route for more benefits with bind9. Its an even better solution if you already run a bind9 DNS server and simply can create conditional forwarders directly on your primary bind9 servers, but that's not an essential requirement, as explained above.
 
-For a real non-Netflix example, mega.co.nz or mega.nz will not work over v6 via Hurricane Electric because MEGA is hosted by Cogent which lacks any route to the Hurricane Electric network. See this thread on the HE forums: https://forums.he.net/index.php?topic=3530.0. Using this workaround for MEGA domains will allow you to access the service, because IPv4 will essentially be forced.
+For a real non-Netflix example, mega.co.nz or mega.nz will not work over v6 via Hurricane Electric because MEGA uses Cogent to carry IPv6 traffic, which lacks any route to the Hurricane Electric network. See this thread on the HE forums: https://forums.he.net/index.php?topic=3530.0 about the whole HE vs Cogent saga. Using this workaround for MEGA domains will allow you to access the service, because IPv4 will essentially be forced.
 
 **Q. I'm not able to run bind9, are there any alternatives?**
 
 A. Yes. There is a excellent lightweight DNS proxy specifically for Netflix IPv6 tunnel purposes. Written in Python, it should work on most Unix/Linux systems with little setup required.
 
 https://github.com/cdhowie/netflix-no-ipv6-dns-proxy
 
-The same concept applies, you need to have your primary DNS server/resolver forward requests to this proxy, be aware this DNS proxy is specifically for Netflix usage and won't strip the AAAA records of other domains if sent to it.
+The same concept applies, you need to have your primary DNS server/resolver forward requests to this proxy, be aware this DNS proxy is specifically for Netflix domain usage and won't strip the AAAA records of other domains if sent to it. You can edit the source code to expand it if you wanted to though.
 
 **Q. Who is "big media"?**
 
-A. My pet name for the media rights corporations who are stuck in the past and don't know jack shit about technology. Much like the government of the United Kingdom. True story.
+A. My pet name for the media rights corporations who are stuck in the past and don't know jack shit about technology. Much like the government of the United Kingdom (example: Investigatory Powers Act 2016). True story.