It seems some guys abused he.net for faking geographical locations in order to access Netflix. Not a bad idea from a technical perspective but it is quite annoying if you would like to use Netflix AND he.net tunnels. Netflix was so kind to block any he.net IPv6 range.
Common workarounds are like disabling AAAA lookups for netflix.com or blackhole routing. I favour the latter:
ip -6 route add blackhole 2a01:578:3::/48 ip -6 route add blackhole 2406:da00:ff00::/48 ip -6 route add blackhole 2600:1407:19::/48 ip -6 route add blackhole 2607:f8b0:4001::/48 ip -6 route add blackhole 2620:108:700f::/48
As it turned out, my initial idea was good but not perfect. I ended up with a pretty standard dnsdist configuration that just forwards any request to ISP nameservers and blocks AAAA for netflix: