6

Many Apple properties work only after repeated attempts

Since around two weeks, many requests to Apple properties (App Store, Apple Music etc.) fail resulting in “Connection to App Store failed” messages, podcasts that won’t download etc. 

The logs do not show any blocked requests. Enabling or disabling blocklists and other features seem to have no real effect. Explicitly whitelisting tens of Apple (sub)domains also does not solve the problem.

If a site or service fails to load, I retry many times. Sometimes by the 5th, sometimes by the 50th try the requests succeeds. Sometimes even retries do not help.  

One method that always works is disabling NextDNS. From that moment onwards, requests to Apple services resume to work immediately. 

On Reddit I’ve seen multiple people reporting the same issue: https://reddit.com/r/nextdns/comments/vqi7zz/issues_reaching_apple_services_like_app_store/

39replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • For anyone encountering this issue (Apple domains failing, nothing blocked in the logs), could you try the following and report back here?

    1. Switch temporarily to a no-profile DNS endpoint (https://dns.nextdns.io, dns.nextdns.io or 45.90.28.0/45.90.30.0).

    2. If you're still getting the issue with 1., try setting up Quad9 (9.9.9.9).

    Could you also share the following (ideally here, but privately is fine as well)

    - Your ISP and approximate location (closest metropolitan area is enough)

    - The output of https://test.nextdns.io

    Like 1
      • Leo Kennis
      • Leo_Kennis
      • 6 mths ago
      • 1
      • Reported - view

      NextDNS in all my “tinkering” so far this setting did not seem to have an effect. 
       

      This evening I tried to test a little more methodically: first basically disable everything, then one by one enable block lists and features. And so far it seems that disabling “Threat Intelligence Feeds” seems to bring the most improvements.

      But as the issue is not constant (i.e. even with Threat Intelligence Feeds on, after some retries stuff like the App Store does load) I’m not 100% convinced yet. 

      Like 1
    • Leo Kennis We have updated our response with some debugging steps that would help us isolate the issue, could you check it out?

      Like 1
      • Leo Kennis
      • Leo_Kennis
      • 6 mths ago
      • 2
      • Reported - view

      NextDNS Hi, 1 I’ll try later today. With 2 (Quad9) there is no issue and everything works. 
      Since disabling Threat Intelligence Feeds yesterday I have seen less issues overall.

      My ISP is Ziggo and I live in Arnhem, The Netherlands. 
      Output of test:

      {
      "status": "ok",
      "protocol": "DOH",
      "profile": "fpf10a092a2c867e8f",
      "client": "31.151.45.99",
      "srcIP": "31.151.45.99",
      "destIP": "95.179.134.211",
      "anycast": false,
      "server": "vultr-ams-1",
      "clientName": "nextdns-ios",
      "deviceName": "iPhone van Leo",
      "deviceID": "5OPR6",
      "deviceModel": "Apple iPhone14,3"
      }
      Like 2
    • Tried all, works everywhere expect when using NextDNS. Service provider Mobily, Jeddah KSA

       

      "status": "ok",
      "protocol": "DOH",
      "profile": "fp6931c7554048953d",
      "client": "31.167.37.163",
      "srcIP": "31.167.37.163",
      "destIP": "185.140.251.24",
      "anycast": false,
      "server": "navico-ruh-1",
      "clientName": "dnscrypt"
      }

       

      NextDNS 

      Like
      • Abe Moss
      • Abe_Moss
      • 6 mths ago
      • Reported - view

      Abdul Rehman you're using a DNSCrypt client according to the test results you'd posted. 

      Like
    • Hi Abe Moss 

      Yes, noticed that i turned off everything in security and the DOH is setup on Firewalla with all others DOH off only Nextdns, looking up at the my nextdns it shows I am connected to it, and all App Store issues are gone. Will see turning one by one the security back up and see which one is causing the issue if it doesn’t pop up here on this thread. 

      Like 1
      • Leo Kennis
      • Leo_Kennis
      • 6 mths ago
      • 2
      • Reported - view

      NextDNS hi, has there been any progress in investigating this issue so far?

      Like 2
  • I don't know if this is related, but I couldn't reach multiple pages on the web. Apple support pages like this one, for example. iCloud.com wouldn't load as well..

    I only have "oisd full" list enabled, enabled all the switches on the Security, Privacy and Settings pages.

    When disabling NextDNS they load instantly, so it must be NextDNS related but no blocks appear in the logs. After trying a lot, switching everything off and on multiple times it seems that disabling the "Block Dynamic DNS Hostnames" works for me. Support pages and iCloud.com load fine now. Only tried it a short time so I can't wether it will continue to work.

    But it clear that there is something not okay with NextDNS enabled..

    Like
    • Disabling "Block Dynamic DNS Hostnames" didn't work as expected. Apple pages stopped loading again.. But good to know: App Store and Apple Music loads perfectly fine on my side. It only happens with Support pages on support.apple.com and iCloud.com. (so maybe it's not entirely related)

      I tried step 1 from @NextDNS post and it started to load immediately, but still a bit slower than without NextDNS (DNS from ISP).  Changing it to Quad9 it loads as fast as my ISP DNS.

      The strangest thing is, sometimes it does work sometimes it doesn't..

      My ISP is also Ziggo, located near Rotterdam, NL.

      {
      "status": "ok",
      "protocol": "DOH",
      "profile": "fp430c5cffa76eecc3",
      "client": "2001:1c02:1504:4000:45cc:*:*:*",
      "srcIP": "2001:1c02:1504:4000:45cc:*:*:*",
      "anycast": false,
      "server": "vultr-ams-1",
      "clientName": "nextdns-mac",
      "deviceName": "MacBook Pro van Michael",
      "deviceID": "FIJRU",
      "deviceModel": "Apple MacBookPro18,3"
      }
      
      Like 1
    • Update:

      Unfortunately disabling "Block Dynamic DNS Hostnames" didn't resolve it.. Couldn't sign in to beta.apple.com and couldn't find any iOS and macOS updates.. Disabling NextDNS resolved this immediately. It doesn't matter what I disable on my.nextdns.io, nothing seems to work. Sometimes it works, most of the times it doesn't.

      Like 1
  • Thank you for posting. I have the same issue with App Store / Apple Music / iTunes, and it prevents most Apple connected devices (except one) from functioning

    For instance, two brand new HomePod Mini speakers fail to connect to Apple Music and iTunes on Apple TV. 

    I've exhausted every possible combination of troubleshooting steps that I could muster, but to no avail.

    Like 1
    • Abe Moss We have updated our response with some debugging steps that would help us isolate the issue, could you check it out?

      Like 1
      • Abe Moss
      • Abe_Moss
      • 6 mths ago
      • Reported - view

      NextDNS 

      I don't achieve any success via disabled "Threat Intel Feeds", nor any other blacklists for that matter. 

      The only solution so far is to blow away the NextDNS profile on the Apple TV 4K device. 

      The device functions as intended with Quad9, Cloudflare, and a couple of other 3rd party DNS provider's settings manually plugged in.

      My ISP is AT&T (the Gigabit Fiber internet access).

      The Apple TV console is hooked directly into AT&T's Nokia Gateway via CAT7 Ethernet cable, and the connection is the most reliable I've had anywhere in the US (residential setting).

      I'm currently in Greenville, SC.

      Thank you!

      Like
  • Same here. Also Ziggo/Vodafone. 1.1.1.1 and 9.9.9.9 work fine. Also switching to cellular data (with NextDNS enabled) instantly fixes the issue. 
     

    Update: same is true for enabling VPN (with DNS via NextDNS).

    Like 3
    • Christiaan Slim Exactly the same over here. Could it have something with Ziggo?

      Like
      • Leo Kennis
      • Leo_Kennis
      • 6 mths ago
      • Reported - view

      Michael Nieuwstraten Ziggo is a common factor but so is NextDNS…seems they don’t interact as they should. 

      Like
    • Leo Kennis Does disabling "AI-driven threat detection" helps in loading? I tried many things and this one gave me the best (but still not perfect) results, just curious.

      Like
      • Leo Kennis
      • Leo_Kennis
      • 6 mths ago
      • 1
      • Reported - view

      Michael Nieuwstraten For me, in order of effectiveness:

      1. Disabling NextDNS: prevents 100% of issues
      2. Disabling  “Threat Intelligence Feeds”: prevents 75% of issues
      3. Disabling other features, blocklists, whitelisting: prevents <1% of issues
      Like 1
  • Glad I found this topic. Same for me using KPN in Amsterdam region. When using NextDNS I have extreme difficulty reaching anything iTunes store or App store related.  Tried all settings but nothing works (except disabeling NextDNS).  I am going to cancel my NextDNS subscription because....

    Like
  • @NextDNS Any news on this topic?

    Like
  • Hello everyone,

    I also wanted to share some relevant info.

    Just to be explicit, I experienced **the “update all [apps]” button not working as expected in App Store**. App-update-indicator keep spinning and spinning and eventually stop not having updated anything. Confusingly, one can update single apps one by one manually, but not via the update all app. 😶

    I also started with my filters, but there wasn’t really going on anything special besides an occasional ad query coming from inside the App Store (so I assume), changing the filters did not fix the problem.

    I stumbled on (older) references to EDNS under the config\performance where I started to experiment with different combinations of these switches.

    ! Warning for skimmers: messing with these dns settings will take at least 5 minutes to propagate so the dns cache records expire so your changes will not always effect your device real-time.

    My working hypothesis is that the switch *Cache-boost* can be a work around. What the *true* reason for this relative new undesired (iOS) behaviour is, remains to be seen, but turning off the cache boost resulted in me being able to update-all apps again.

    I use the app and have a dedicated profile for iOS devices.

    If you choose to test, do this:

    Put everything the way you like again. All bells and whistles you no Apple domain in exception or block list.

    **Disable cache-boost**; you may leave edns and flattening enabled. 

    In my case I had the beta threat intelligence disabled.  
     

    Set a timer for 5 minutes and wait.

    After 5 minutes, go to app store. Touch your initials, drag down to refresh update page. Press update all. 
     

    I have witnessed succes a few times, but it is limited to the number of devs pushing new updates. **I need more data**. Feel free to share.

    Hopefully this helps and aid NextDNS in figuring out what is going on. ✌️

    P.s. Cache-boost is a good feature because TTL of 5 seconds have downsides, but in this case - for assumed fixing purposes - I accept it disabled. I do not recommend this for shared NextDNS-profiles for other devices, only for test-fixing iOS. 
     

    Like
      • TechFan
      • TechFan
      • 6 mths ago
      • Reported - view

      TechFan Cannot edit my post any more.

      Update: 4 out of 5 tests were successful with cache-boost off and updated apps successfully like they used to.

      Too high TTL might be a factor, but I am starting to doubt disabling cache-boost as a viable work-around.

      I will keep testing.

      I can confirm though, if I disable the NextDNS app and press "Update All", everything updates immediately, like posters above me also pointed out.

      Like
      • Leo Kennis
      • Leo_Kennis
      • 6 mths ago
      • Reported - view

      TechFan to be honest, there are multiple settings that when I disable them then seem to make everything work again. For 30 minutes. Then it’s broken again.
      It might just be a “placebo effect”: even if I would not have changed any settings, due to the randomness of Apple stuff failing and then working a request was bound to suddenly temporarily work again. But as I was tinkering with NextDNS, I attribute it working again to the tinkering instead. 

      This evening the final straw broke this camel’s back. After a busy day I wanted to watch an iTunes movie on my Apple TV  together with my wife but I had to reboot the Apple TV twice and after that force kill the TV app once more before the movie finally loaded. It ate 15 minutes of our movie watching time and made me grumpy.

      Due to this bug the “wife acceptance factor” of NextDNS is at an all time low.


      For now I switched to the AdGuard DNS beta. It’s worse than NextDNS (less blocklists and features) but hey, actually it’s better because it lets me do stuff online as opposed to NextDNS…and that’s what a DNS should be for…

      I’m honestly sad because I’ve lived NextDNS since the beginning and have evangelized it on multiple occasions. Now I cannot do that anymore in good conscience. 
       

      Like
    • Leo Kennis for a failing apple domain, would you be able to provide its dig output with and without nextdns?

      Like
      • Leo Kennis
      • Leo_Kennis
      • 6 mths ago
      • 1
      • Reported - view

      NextDNS I tried this link: https://tv.apple.com/us/show/severance/umc.cmc.1srk2goyh2q2zdxcx605w8vtx

      On a Mac it should open the TV app showing the series "Severance".

      NextDNS:

      dig output:

      [~] dig https://tv.apple.com/us/show/severance/umc.cmc.1srk2goyh2q2zdxcx605w8vtx
      
      ; <<>> DiG 9.10.6 <<>> https://tv.apple.com/us/show/severance/umc.cmc.1srk2goyh2q2zdxcx605w8vtx
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20405
      ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
      
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 1232
      ;; QUESTION SECTION:
      ;https://tv.apple.com/us/show/severance/umc.cmc.1srk2goyh2q2zdxcx605w8vtx. IN A
      
      ;; AUTHORITY SECTION:
      .            1721    IN    SOA    a.root-servers.net. nstld.verisign-grs.com. 2022071802 1800 900 604800 86400
      
      ;; Query time: 112 msec
      ;; SERVER: 192.0.2.42#53(192.0.2.42)
      ;; WHEN: Tue Jul 19 09:07:29 CEST 2022
      ;; MSG SIZE  rcvd: 176

      The "SERVER" section looks weird (192... IP) - I set NextDNS in my router and via the NextDNS app on my MacBook.

      Actual result: see screenshot, translated something like "content is not available"

      AdGuard DNS:

      dig output:

      [~] dig https://tv.apple.com/us/show/severance/umc.cmc.1srk2goyh2q2zdxcx605w8vtx
      
      ; <<>> DiG 9.10.6 <<>> https://tv.apple.com/us/show/severance/umc.cmc.1srk2goyh2q2zdxcx605w8vtx
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33377
      ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
      
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 4096
      ;; QUESTION SECTION:
      ;https://tv.apple.com/us/show/severance/umc.cmc.1srk2goyh2q2zdxcx605w8vtx. IN A
      
      ;; AUTHORITY SECTION:
      .            1745    IN    SOA    a.root-servers.net. nstld.verisign-grs.com. 2022071802 1800 900 604800 86400
      
      ;; Query time: 81 msec
      ;; SERVER: 94.140.14.49#53(94.140.14.49)
      ;; WHEN: Tue Jul 19 09:07:57 CEST 2022
      ;; MSG SIZE  rcvd: 176

      The only real difference is the number after "udp" which I assume is a port?

      Actual result: see screenshot, I can watch Severance now.

      Like 1
    • Leo Kennis please only give tv.apple.com as argument to dig, not the full URL.

      Like
      • Leo Kennis
      • Leo_Kennis
      • 6 mths ago
      • Reported - view

      NextDNS Ok.

      NextDNS:


      [/] dig tv.apple.com ; <<>> DiG 9.10.6 <<>> tv.apple.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65356 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;tv.apple.com. IN A ;; ANSWER SECTION: tv.apple.com. 284 IN CNAME itunes-cdn.itunes-apple.com.akadns.net. itunes-cdn.itunes-apple.com.akadns.net. 2933 IN CNAME itunes.apple.com.edgekey.net. itunes.apple.com.edgekey.net. 5130 IN CNAME e673.dsce9.akamaiedge.net. e673.dsce9.akamaiedge.net. 16 IN A 23.222.18.39 ;; Query time: 1037 msec ;; SERVER: 192.0.2.42#53(192.0.2.42) ;; WHEN: Tue Jul 19 16:43:05 CEST 2022 ;; MSG SIZE  rcvd: 184

      AdGuard DNS:

      [/] dig tv.apple.com
      
      ; <<>> DiG 9.10.6 <<>> tv.apple.com
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34092
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
      
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 4096
      ;; QUESTION SECTION:
      ;tv.apple.com. IN A
      
      ;; ANSWER SECTION:
      tv.apple.com. 126 IN CNAME itunes-cdn.itunes-apple.com.akadns.net.
      itunes-cdn.itunes-apple.com.akadns.net. 2241 IN CNAME itunes.apple.com.edgekey.net.
      itunes.apple.com.edgekey.net. 21371 IN CNAME e673.dsce9.akamaiedge.net.
      e673.dsce9.akamaiedge.net. 42 IN A 72.246.168.25
      
      ;; Query time: 195 msec
      ;; SERVER: 94.140.14.49#53(94.140.14.49)
      ;; WHEN: Tue Jul 19 16:43:51 CEST 2022
      ;; MSG SIZE  rcvd: 184
      

      So do I see correctly that both DNS servers return a different IP for "e673.dsce9.akamaiedge.net"?

      Like
    • Leo Kennis the first CNAME leads to different akamai location. First is amsterdam, second is frankfurt. That’s not unexpected.

      Can you please add a rewrite with this hostname and the second IP and see if you are still experiencing the issue to validate this is the problem?

      A traceroute to both IPs would be interesting too if possible.

      Like
      • TechFan
      • TechFan
      • 6 mths ago
      • Reported - view

      NextDNS - Just unpacking the compound instructions.

      NextDNS asks to go to NextDNS settings' settings tab, header 'Rewrite(s)' and add:
      tv.apple.com with Adguards' resolved ip of 'tv.apple.com': 72.246.168.25 (or the most recent IP by Adguards DNS's resolution.)

      And then open the url to open the TV app again to see if it works now.

      ---

      I think, to test this correctly, one should recreate the error, prior to rewriting the domainname in NextDNS, to exclude the passage of time already having changed the situation again, like Leo also shared.

      Like
      • Leo Kennis
      • Leo_Kennis
      • 6 mths ago
      • Reported - view

      NextDNS Hi, for the "rewrite" can you explain in a little more detail what you mean?

      For the tracerouters:

      To NextDNS resolved IP 23.222.18.39:

      [~] traceroute -I 23.222.18.39
      traceroute to 23.222.18.39 (23.222.18.39), 64 hops max, 72 byte packets
      1  192.168.0.1 (192.168.0.1)  9.405 ms  7.294 ms  5.471 ms
      2  31-151-45-1.dynamic.upc.nl (31.151.45.1)  23.604 ms  20.450 ms  15.337 ms
      3  212.142.53.249 (212.142.53.249)  13.912 ms  22.182 ms  16.739 ms
      4  asd-tr0021-cr101-be110-2.core.as33915.net (213.51.7.84)  21.772 ms  17.030 ms  18.320 ms
      5  nl-ams14a-ri1-ae51-0.core.as9143.net (213.51.64.186)  17.231 ms  16.524 ms  19.911 ms
      6  213.46.182.38 (213.46.182.38)  22.520 ms  22.767 ms  24.723 ms
      7  ae0.cr3-ams2.ip4.gtt.net (89.149.182.74)  17.824 ms  24.987 ms  21.391 ms
      8  ip4.gtt.net (213.254.197.138)  18.271 ms  23.868 ms  26.259 ms
      9  a23-222-18-39.deploy.static.akamaitechnologies.com (23.222.18.39)  28.252 ms  22.767 ms  24.515 ms
      

      To AdGuard DNS  resolved IP 72.246.168.25:

      [~] traceroute -I 72.246.168.25
      traceroute to 72.246.168.25 (72.246.168.25), 64 hops max, 72 byte packets
      1  192.168.0.1 (192.168.0.1)  6.480 ms  4.901 ms  5.103 ms
      2  31-151-45-1.dynamic.upc.nl (31.151.45.1)  19.330 ms  14.521 ms  16.869 ms
      3  212.142.54.249 (212.142.54.249)  13.637 ms  12.878 ms  17.663 ms
      4  asd-rc0001-cr101-be110-2.core.as33915.net (213.51.7.82)  16.142 ms  15.686 ms  20.497 ms
      5  nl-ams09c-ri1-ae50-0.core.as9143.net (213.51.64.62)  29.991 ms  14.347 ms  19.510 ms
      6  ae14-209.rt.tc2.ams.nl.retn.net (87.245.246.18)  22.864 ms  20.688 ms  26.455 ms
      7  ae2-10.rt.eqx.fkt.de.retn.net (87.245.234.112)  21.456 ms  25.965 ms  23.380 ms
      8  87.245.214.163 (87.245.214.163)  27.526 ms  28.516 ms  25.650 ms
      9  a72-246-168-25.deploy.static.akamaitechnologies.com (72.246.168.25)  22.381 ms  29.462 ms  19.708 ms
      
      Like
      • TechFan
      • TechFan
      • 6 mths ago
      • Reported - view

      Leo Kennis they want you to overwrite your NextDNS' DNS response with the IP of Adguard DNS by adding an entry of 'tv.apple.com' in Rewrites [Herschrijvingen] section in your my.nextdns.io account settings.

      Then, when you Mac resolves tv.apple.com via your NextDNS DNS by opening your testcase url https://tv.apple.com/us/show/severance/umc.cmc.1srk2goyh2q2zdxcx605w8vtx again, it will return the same ip as AdGuard DNS will.

      Like
      • Leo Kennis
      • Leo_Kennis
      • 6 mths ago
      • Reported - view

      TechFan ah okay…as it’s unpredictable at what time which Apple url will fail I’ll need to invest some time in to that. 

      Like
  • @NextDNS @leo_kennis

    Do you have an position on IPv4 and IPv6 in relation to this topic? Would this behaviour be explained by not having IPv6 ips assigned to clients? (tv.apple.com resolves to 4 AAAA records and 1 A record.) 

    Feel free to ignore if irrelevant, just trying to get more info shared.

    I can see one of the posters has a IPv6 address in the test output, so this might be one we can exclude in "House's differential diagnosis". 

    Like
  • @NextDNS can you give me a % chance this issue will be resolved? If not, please save me from having to check this topic again and again without any progress made. I will just switch to another DNS provider permanently...

    Like
  • @NextDNS exactly the same issue. Me and some of my friends which also use NextDNS are about to leave NextDNS as well. 
    Every solution seem not working and this is ongoing for at least 2-3 months now. It gets way to annoying. 
    NextDNS please fix it. I loved how it works and this gonna cost you guys a huge amount of users. 

    Like
  • Perhaps the NextDNS app can be expanded with an additional feedback mechanism? Or perhaps even local logs to consult. It is a hard to debug.

    As a test, nowadays, in the iOS NextDNS app, I switch off the custom ID switch, effectively disabling most of the custom configuration, but keeping NextDNS DOH on.

    No conclusive results yet.

    Like
  • Disabling 

    Cryptojacking Protection

    Prevent the unauthorized use of your devices to mine cryptocurrency.

    Resolved the issue 

    Like
      • TechFan
      • TechFan
      • 2 mths ago
      • Reported - view

      Hey Mika,  would mind reporting back after a few days if your solution persist?
      This thread's solution has proven to be difficult to truly confirm because of actions that have a temporary effect.

      Like
Like6 Follow
  • 6 Likes
  • 2 mths agoLast active
  • 39Replies
  • 747Views
  • 13 Following