If anybody out there is using a newer build of the DD-WRT firmware with their router and has been having issues streaming Netflix movies from the iPhone app over WiFi, I have also stumbled across the reason and the solution for this problem. After updating my router to the “recommended” build of DD-WRT v24 pre-SP2 (Build 14929, dated 08/12/10 as recommended in the DD-WRT forum thread regarding recommended version for Broadcom firmware), I was no longer able to play anything from the Netflix iPhone app while attempting to stream over WiFi. The player would open, show a message indicating it was loading for a second or two, and would then simply close and go back to the previous screen in Netflix. However, if I turned WiFi off on my iPhone and attempted to stream that way, everything would work!

It turns out that newer versions of DD-WRT, Tomato and other third-party firmware include a newer version of the DNSMasq service, which also adds protection for what is known as a “DNS rebind attack.” Apparently this is when an external domain name, such as something.somewhere.com, points to what is considered an internal or “private” IP address, such as 192.168.1.1 or even the 127.0.0.1 loop-back address. Apparently this method can be used to probe inside networks somehow and since there really should be no valid reason for ever pointing a domain at a private IP address, the third-party firmware community has decided to block access to these types of domains.

So what’s the problem with the Netflix iPhone app? It turns out that the player attempts to connect to a domain named ihost.netflix.com and this simply points to 127.0.0.1 — the loop-back address I mentioned earlier. Effectively, the Netflix iPhone app uses this external domain to connect to itself (i.e., the iPhone app). I cannot for the life of me figure out why Netflix designed their app this way. The only possible explanation I can afford is that it is some part of the DRM mechanism that the app uses. I’m hoping this becomes enough of an issue that Netflix will stand up and take notice and perhaps just hard-code the loop-back address into the iPhone app’s code instead of using an external domain to perform this trick.

So what are the possible solutions? You can disable DNSMasq altogether in DD-WRT or your third-party firmware but then you lose all local-side DNS caching abilities. I’ve also read that newer builds (15000 and higher) of DD-WRT let you disable the DNS rebind protection altogether but then you lose what should be another layer of security. Possibly the best (and simplest) solution is to actually enter an external DNS IP address into the WiFi settings of your iPhone or iPod touch device itself. Simply go to Settings and then tap on WiFi and then tap the little blue arrow next to your network’s name. Enter something other than the 192.168.1.1 (or whatever your router’s IP address might be) such as Google’s 8.8.8.8 public DNS server or use OpenDNS at 208.67.222.222. After doing so, try playing a movie over WiFi again and it should work flawlessly as it did before.

For further reading, there is a fairly lengthy thread on the DD-WRT forums about the issue. Click here or visit the following link to view the first page of the thread:

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=77831

UPDATE: Somebody on the thread has posted a more elegant solution for DD-WRT users although the same technique could probably be applied to other custom firmwares suffering from the same issue if the firmware allows you to save a list of commands to be executed when the router is booting up. In DD-WRT, you can click the “Administration” tab and then click on the “Commands” sub-tab and you will see a box where you can enter several commands on different lines. You can then either run these commands immediately using the “Run Commands” button at the bottom or save them to be run when the router is starting up, shutting down, or should be applied to the firewall rules (“Save Startup”, “Save Shutdown” and “Save Firewall” buttons respectively). Paste the following into the command box and click the “Save Startup” button:

echo 127.0.0.1 ihost.netflix.com >> /etc/hosts
killall -9 dnsmasq
dnsmasq --conf-file=/tmp/dnsmasq.conf

You can then either reset and reboot your router or you can paste the commands into the box again and click the “Run Commands” button for the settings to take effect. Essentially what this does is map the ihost.netflix.com domain to the 127.0.0.1 loop-back address. Apparently, having this in the /etc/hosts file will prevent DNSMasq from trigger its DNS rebind protection and allows Netflix to play without issue! This makes my previous suggestion of using an external DNS server on your mobile device (i.e., iPhone) unnecessary and this fix will allow Netflix to work from any mobile device (including Android devices) without any configuration changes.