For a while now I’ve had a weird issue with Plex not connecting within my network and never really gotten down to solving it. I used to be able to cajole it to work through a few different methods but it was never smooth. When I used the web app, I generally had to go directly to the instance and that would work properly for me but today I tried to use Plex on my phone and it outright wasn’t connecting to any of my local Plex boxes on my network properly. It was finally time to figure out what was going wrong.

That lead me to go to app.plex.tv and figure out what was going on. A while back I’d seen this post on how they were giving everyone SSL for no cost at all and so I tried to figure out what that wanted to do. I hit 32400 via HTTPS and it gave me a certificate for something completely outside of my domain: *.[hexhash].plex.direct. Weird. That was never going to work with my own DNS, didn’t even come close. That certificate looked interesting though because whilst it didn’t match, it looked correct and had “Plex Devices High Assurance CA2” as an intermediate CA.

I did some more digging and found a post on trouble with TLS in web client but not in apps which wasn’t quite what I was seeing now but seems like an interesting place to look. Towards the bottom it suggested that an extension called “Privacy Browser” was blocking the requests to .plex.direct. I don’t have that but I do have pfSense set up with pfBlockerNG. Maybe that was causing some problems?

I went to app.plex.tv and went looking for what it was trying to load. It gave me an address with the same [hexhash].plex.direct format as before with a hostname of ‘192-168-1-100’ for the address to match my Plex box. I grabbed that address and tried to curl it: no domain. I then jumped into nslookup and surely enough it said no domain. Then I tried Google’s DNS and it pointed me back to 192.168.1.100, then I tried a few other external DNS servers and they resolved it just fine. What ever was happening was within my network.

Finally I found a post on the Plex forum around secure connections and pfSense which suggested a simple fix to add the following to the Unbound resolver (in pfSense admin this was under Services, DNS Resolver and in the Custom Options box under “Display Custom Options”):

Before I put it in, I was curious what it actually meant, so I checked out the manual and found this:

Server Options private-domain: [domain name] – Allow this domain, and all its subdomains to contain private addresses. Give multiple times to allow multiple domain names to contain private addresses.

Essentially it permits plex.direct to return IP addresses that are private which I can only gather is a security feature to prevent external DNS addresses doing precisely what Plex is doing. Pretty cool feature.