Unblocking Netflix Could Put You at Risk

Take precautions when using third party DNS and VPNs

Posted by Stefán Orri Stefánsson on 3 September 2015

Regional content unblocking is the act of bypassing restrictions and accessing content which is not meant for your geographic area. In the past, such unblocking typically involved a screwdriver and soldering iron. Bricked hardware was the worst potential result. Today, unblocking is done by configuring your Internet settings or router. Doing so could put your entire Internet traffic in the hands of a stranger. What’s the danger in that? Besides the obvious information leakage and spying potential, you could find yourself with malware-filled computers and devices.

Join me as I examine how modern content unblocking works and how it could unwittingly be exposing you to danger.

Tl;dr - Content unblocking can expose you to danger through unscrupulous providers. If you care about your security and privacy, take the time to protect yourself from them.

A trip down memory lane

A quarter-century ago my grandparents returned from a trip to the the US with a present for me and my brother - two Nintendo Entertainment System (NES) video games. Ecstatic, we raced over to the console (or more likely waited anxiously for our turn at the only TV in the house) but were dejected when neither game worked. A trip to the local game store revealed that the games weren’t broken, just region-locked to the USA. Living in Europe, the games didn’t work - by design. We had been introduced to the concept of content restriction.

Within a few weeks, we found someone who could unlock the NES, enabling it to play any game irrespective of region (also allowing unlicensed games as a side effect). After forking over a few weeks worth of allowance, we could finally play the games.

The games in questions. Ahh, memories.

Modern region locks

Flash forward to this day and nothing has changed. Content distributors are still trying to region lock video games, DVDs/Blu-ray discs as well as online music and video streaming services. They’re also still failing at it. Regional content restriction is more of a speed bump to users than an impassable roadblock. Almost everyone that wants to circumvent these protections is able to without much trouble. Netflix and Hulu are the perennial examples of modern services which employ region blocks.

There are three main ways to bypass online regional content restrictions. A virtual private network (VPN), HTTP proxy or a “smart DNS” service. Most people select one based on their needs, budget or a recommendation from an acquaintance. Very few people understand how their chosen solution works and what implications it has for them. Lets have a quick look at each of these.

HTTP proxy

A HTTP proxy is configured in your browser or operating system and controls how the browser retrieves content from Internet hosts. Without a proxy, a browser performs a DNS request for the remote host’s IP address and then sends the HTTP request to that address. But if the browser is configured to use a proxy (for the chosen host), it will not send the request to the remote host, but to the proxy instead. The proxy might forward the request directly to the remote host, or it might do some processing on the request and/or response based on its configuration.


A VPN can mean a lot of things but in the content unblocking world it essentially means having an encrypted tunnel through which all traffic from a device (the VPN client) is sent. Many devices, like smart TVs and dedicated media players, don’t support VPN. Therefore the router is sometimes configured as the client, effectively sending all Internet from the local network through the tunnel.

At the other end sits a VPN server which generally only provides access to registered clients, authenticated by passwords or digital certificates.

A VPN might seem like the best solution since all traffic goes through the tunnel and there is no danger of the real IP address or location leaking if properly configured. However, the tunneling degrades performance, increasing latency and possibly bandwidth. It’s also overly broad if the aim is content unblocking since it also sends all unrelated traffic through the tunnel.

Don’t get me wrong - in many cases using a VPN is a very good idea. Connecting to WiFi on your smartphone at a coffehouse? Using a VPN is absolutely the best thing you can do to protect yourself. But for the specific purpose of content unblocking it is overkill.

Smart DNS

Since you’re reading this blog, you probably know that DNS translates Internet host names into IP addresses. So what is “smart” DNS and how exactly is it any smarter than the regular kind?

Smart DNS is more than just DNS since it also provides proxies for the content services it supports. Lets say a smart DNS user wants to access Netflix. She enters netflix.com in her browser, which triggers a DNS request for the hostname but the smart DNS doesn’t provide the real netflix.com IP address. Instead, it responds with the address of a proxy server controlled by the DNS provider. Browsing Netflix’s website now goes through the DNS provider so the user appears to be located where the proxy server is.

Smart DNS is easy for the user since it only requires changing the DNS servers on a specific device or a router. It’s also “just” DNS, so what could be the harm in that? Well, for starters you generally want to have your DNS as close (network latency wise) to you as possible since it will otherwise hinder your web browsing, etc. But besides performance considerations there are also security concerns - more on that in a bit.

Free stuff will bite you

HTTP proxies and VPNs have mostly the same security drawbacks. You are essentially trusting a single entity with all your traffic. If that traffic is not encrypted (HTTP instead of HTTPS) the people running the proxy or VPN server can inspect and even modify it. Even if the service is provided by a company, how can you make sure that company or its sysadmins is not looking through your traffic for valuable information? We definitely have seen examples of badly behaving providers (see Hola Internet).

Christian Haschek has investigated free proxies and found they often inject HTML or javascript into web pages. In fact, less than a third of the online proxies were considered safe. Wired reported on his findings and recommended using paid VPN which does not log traffic. The problem is that the customer has no way of verifying the VPN provider is in fact not logging data or doing something more nefarious.

There’s no such thing as a free lunch. You are definitely better off paying for a proxy or VPN than using a free one. But there’s still some trusting that needs to be done on your part, and not everyone is comfortable with that.

Smart DNS is potentially better since only traffic intended for a few content providers should be given special treatment. However, you are still giving up control of DNS and that can be more dangerous than even a misbehaving HTTP proxy or VPN server. The same goes here - paid is probably more secure than free.

Obligatory doomsday scenario

For most people, the possibility of someone snooping on their Internet traffic should be disconcerning. There are of course those who are unfazed by that and say they have nothing to hide. They might think differently about having their computer (or even TV) infected with malware. But that’s perfectly possible if your proxy/VPN/DNS provider wants to harm you. One scenario is that your provider might simply wait for you to download an executable from an unencrypted location - say Microsoft anti-virus - and provide a malware executable instead. This may also work for media players and smart TVs since they often auto update their firmware and don’t exactly have a stellar track record when it comes to security.

Protect yourself

First off - don’t use a random free service off the Internet to unblock content. Go for a paid service, or better yet, roll your own if you have the technical chops for it.

If you have to rely on a service, try to limit where you install it. Configuring smart DNS servers only for few devices (TVs, media players) whose single purpose is content consumption reduces the potential for abuse by a lot. Don’t configure your router’s DNS or VPN unless you really have to and understand the implications of it.

Photo credit: Geitabergsvatn, Iceland. Own photo.