Recently I’ve tested a few Android TV devices: Nvidia Shield, Amazon Fire TV Stick and a no-name TV box running Android TV.
The tests were focused on streaming capabilities on Netflix, Amazon Prime and BBC iPlayer when connected to a VPN, but also by using a Smart DNS service. The VPN connection being set directly on the Android TV using the VPN provider’s VPN app, the DNS servers from the Smart DNS service also set statically on the device.
The interesting part is that using the same VPN or Smart DNS service, the streaming was working fine on PC’s browser. Yet on the Android TV device, I was getting the infamous proxy/unblocker detected error.
I was obviously not the first to face this problem so I’ve made a bit of research and gathered some working solutions.
The problem is that streaming apps like Netflix have hard-coded DNS servers from Google DNS (220.127.116.11 and 18.104.22.168) and they are being used to resolve the streaming hostnames. Normally, it shouldn’t be a problem if the VPN service takes care of blocking or overwriting such DNS requests going to Google DNS, but what makes it even more interesting is that the specific DNS requests to Google DNS are by-passing the VPN connection. That’s a behavior similar to what is called “DNS leaks”.
Before you start, make sure that the service you’re using is actually unblocking Netflix and the other streaming services. Use the service on computer/Mac and check it on your browser. If it works, proceed to the solutions to make it work on your Android TV.
Blocking Google DNS on router
This seems to be the easiest fix, as long as you have a decent router which supports either firewall rules or adding static routes.
Firewall blocking: If your router has a firewall, add two rules to block all traffic to the IP addresses 22.214.171.124 and 126.96.36.199. Preferably both UDP and TCP traffic should be blocked, port 53 or any port.
Black hole routes: This might be even easier than firewall blocking, check on the router if it supports static routes and add two, for both 188.8.131.52 and 184.108.40.206 via the gateway 0.0.0.0. This will make both 220.127.116.11 and 18.104.22.168 unreachable.
If the DNS servers are not reachable when the streaming app tries to use them, it will fall-back to the “working” DNS servers, such as those provided by the VPN service or the Smart DNS. A simple solution to a complicated problem.
Rolling back the streaming app to an older version
I’ve tested with the Netflix app for Android TV only, and it seems that the hard-coded Google DNS servers have been added in versions newer than 5.4.1. So, if you can uninstall the Netflix app on your Android TV, do so and side-load version 5.4.1. You can get it from APKMirror.
It’s worth noting that if you side-load the older version instead of using the up-to-date one, you must disable the auto-updates for it. Also, this isn’t possible on NVidia Shield devices as the Netflix app can’t be removed, so you need to rely on the firewall/route black hole methods. The same applies to other Android TV devices which won’t let you uninstall and side-load an older version of the streaming app.
Other devices, same solutions
It applies to Chromecast devices, Smart TVs, Roku and likely many more. Even if the streaming would work on your phone/tablet/browser directly connected to the VPN, if you use the Cast feature it will just “tell” the streaming device to load the specific source using its native service apps. So in case you face a similar problem, the firewall and route blocking measures applied on the router should do the trick.
Don’t break your Internet connection!
Just a reminder in case you you didn’t take it into account yet. In case you are already using the Google DNS servers for your Internet connection, blocking their servers would get the obvious result: a broken Internet connection.
There are two ways to solve that.
1) if you use the firewall rules, you can define the source IP being your LAN IP address of your Android TV device. Assuming it is fixed and won’t change on reboot. You can set it as a static IP by locking up its MAC address, again – if your router supports it.
2) the simpler and more effective solution: don’t use Google DNS servers for your Internet connection. There are several other good or even better public DNS services to use. My recommendation, in no special order: Quad9 DNS (22.214.171.124, it has security capabilities like blocking malware domains and more), AdGuard DNS, NextDNS, CloudFlare.