How to fix VPN/DNS streaming blocking on Android TV

Recently I’ve tested a few Android TV devices: Nvidia Shield, Amazon Fire TV Stick and a no-name TV box running Android TV.

The tests were focused on streaming capabilities on Netflix, Amazon Prime and BBC iPlayer when connected to a VPN, but also by using a Smart DNS service. The VPN connection being set directly on the Android TV using the VPN provider’s VPN app, the DNS servers from the Smart DNS service also set statically on the device.

The interesting part is that using the same VPN or Smart DNS service, the streaming was working fine on PC’s browser. Yet on the Android TV device, I was getting the infamous proxy/unblocker detected error.

I was obviously not the first to face this problem so I’ve made a bit of research and gathered some working solutions.

The problem is that streaming apps like Netflix have hard-coded DNS servers from Google DNS (8.8.8.8 and 8.8.4.4) and they are being used to resolve the streaming hostnames. Normally, it shouldn’t be a problem if the VPN service takes care of blocking or overwriting such DNS requests going to Google DNS, but what makes it even more interesting is that the specific DNS requests to Google DNS are by-passing the VPN connection. That’s a behavior similar to what is called “DNS leaks”.

Before you start, make sure that the service you’re using is actually unblocking Netflix and the other streaming services. Use the service on computer/Mac and check it on your browser. If it works, proceed to the solutions to make it work on your Android TV.

The solutions

Blocking Google DNS on router

This seems to be the easiest fix, as long as you have a decent router which supports either firewall rules or adding static routes.

Firewall blocking: If your router has a firewall, add two rules to block all traffic to the IP addresses 8.8.8.8 and 8.8.4.4. Preferably both UDP and TCP traffic should be blocked, port 53 or any port.

Black hole routes: This might be even easier than firewall blocking, check on the router if it supports static routes and add two, for both 8.8.8.8 and 8.8.4.4 via the gateway 0.0.0.0. This will make both 8.8.8.8 and 8.8.4.4 unreachable.

If the DNS servers are not reachable when the streaming app tries to use them, it will fall-back to the “working” DNS servers, such as those provided by the VPN service or the Smart DNS. A simple solution to a complicated problem.

Rolling back the streaming app to an older version

I’ve tested with the Netflix app for Android TV only, and it seems that the hard-coded Google DNS servers have been added in versions newer than 5.4.1. So, if you can uninstall the Netflix app on your Android TV, do so and side-load version 5.4.1. You can get it from APKMirror.

It’s worth noting that if you side-load the older version instead of using the up-to-date one, you must disable the auto-updates for it. Also, this isn’t possible on NVidia Shield devices as the Netflix app can’t be removed, so you need to rely on the firewall/route black hole methods. The same applies to other Android TV devices which won’t let you uninstall and side-load an older version of the streaming app.

Other devices, same solutions

It applies to Chromecast devices, Smart TVs, Roku and likely many more. Even if the streaming would work on your phone/tablet/browser directly connected to the VPN, if you use the Cast feature it will just “tell” the streaming device to load the specific source using its native service apps. So in case you face a similar problem, the firewall and route blocking measures applied on the router should do the trick.

Don’t break your Internet connection!

Just a reminder in case you you didn’t take it into account yet. In case you are already using the Google DNS servers for your Internet connection, blocking their servers would get the obvious result: a broken Internet connection.

There are two ways to solve that.

1) if you use the firewall rules, you can define the source IP being your LAN IP address of your Android TV device. Assuming it is fixed and won’t change on reboot. You can set it as a static IP by locking up its MAC address, again – if your router supports it.

2) the simpler and more effective solution: don’t use Google DNS servers for your Internet connection. There are several other good or even better public DNS services to use. My recommendation, in no special order: Quad9 DNS (9.9.9.9, it has security capabilities like blocking malware domains and more), AdGuard DNS, NextDNS, CloudFlare.

5 Comments

  1. brosec June 8, 2020
  2. Matt June 8, 2020
    • Marcus July 1, 2020
  3. Mel June 30, 2020

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.