Server Version#: 1.43
I recently set up a new Unifi gateway and am now dealing with the fact that it doesn’t allow Plex to rebind my IP for remote access and direct streaming. I’m googling around trying to find a guide on how to whitelist the “plex.direct” domain so my gateway stops blocking it. Does anyone know of a guide? I appreciate it.
Not sure if this still applies: https://community.ui.com/questions/DNS-Rebinding-and-Unifi-Router/7fa9d79f-0498-47fd-9170-b43c96854fe8
Thanks for the link - I did see that conversation, but it’s using UniFi software from so long ago that the menu/folder trees don’t match. I have a post on the UniFi support forum and have opened a support chat. I’ll post the resolution in this thread when I have it.
I think I have it resolved. If I run into more issues, I’ll come back here to update this. There was no need to ssh in and manually add a dnsmasq (like the old link from above). I’ve no idea if the below is simply a GUI way of doing the same, but it seems to be working. FYI I’m on UniFi Network 10.
- Settings (lower left gear icon) > CyberSecure (left side menu) > Content Filter (tab at top of page)
- Create New
- Add a whitelist (Allowlist) domain for
plex.direct - Do not limit the whitelist to only the PMS machine as DNS rebinding impacts all clients on the PMS machine’s local network
- Save
Edit: The above steps literally blocks everything on the network beyond the whitelist domain. This isn’t a solution. I have a ticket open with UniFi to figure out how to whitelist the domain.
No good. All Plex client devices (including the web browser which is used to administer Plex) on the local network need to be able to resolve the server’s FQDN on the plex.direct domain.
My local network devices seem to be working fine without it? They’re not showing an indirect connection. And my off-site test case wasn’t showing indirect, either, with just the PMS box in the whitelist rule.
What test case should I use to show that only putting PMS on the whitelist doesn’t fully resolve the indirect play issue?
Just wait until their DNS caches are flushed.
Even then they might be streaming fine from your server, due to some content in “List of IP addresses and networks that are allowed without auth”, but certain plex features might not be working as you expect.
If the client cannot resolve the server’s FQDN on the plex.direct domain, it cannot use a secure connection (encryption only works with a security certificate. A security certificate is only attached to a domain name, not a local IP address. Thus the security certificate is not valid, thus secure connections cannot be used.)
The precise impact of this may vary, depending on the Plex client type.
In my off-site test case, if my PMS server is on the whitelist and the off-site client doesn’t have dns rebinding blocked, then that PMS-client connection shouldn’t see any issues, correct?
In my local network case, if my PMS server is on the whitelist and the on-site client is not (so dns rebinding is still blocked), then that PMS-client connection will see issues.
Do I understand correctly?
I was talking about clients in the local network. i.e. the same local network that the server is located in.
Clients on a different network are usually not affected by “DNS rebinding protection”.
If my off-site client test case was also behind its own DNS rebinding protection, would it also need to have plex.direct whitelisted on its own network gateway?
It wouldn’t be affected, because the IP address of the server is not “local” in this case. Thus the DNS rebinding protection wouldn’t fire in this local network.
But of course it would still need to be able to regularly resolve domain names on plex.tv and plex.direct.
Some ISP’s have weird DNS caches which are not updated swiftly enough (and some might even filter out certain domains), so if the remote network cannot resolve the FQDN of your server or the various host names of plex.tv, you might want to switch to either 1.1.1.1 or 8.8.8.8 as a DNS server for that network.
Ok, so the rebind only impacts IPs local to the PMS machine? I didn’t expect that, thank you for clarifying!
So the plex.direct whitelist needs to be network-wide on the PMS network. I’ll update the bulleted list above.
DNS rebinding protection is specifically about and external DNS server defining a FQDN for an IP that is located on the internal network.
In most cases this ios very unlikely, hence why it is considered suspicious by local DNS resolvers. But secure connection to a local Plex server require just that.
(The DNS server for the plex.direct domain is operated by Plex Inc. to save users the hassle of setting up custom domain names and certificates etc. So it is of course considered “outside” of the local network.)
Here you can find a more thorough explanation of how this all works: https://support.plex.tv/articles/206225077-how-to-use-secure-server-connections/
and even more detailed here: https://words.filippo.io/how-plex-is-doing-https-for-all-its-users/
what was the eventual solution of this. setting up my unifi sunday working through the build process from my old er4 and this is on the list because i had settings in my er4 previously.
