9

Many Apple properties work only after repeated attempts

Since around two weeks, many requests to Apple properties (App Store, Apple Music etc.) fail resulting in “Connection to App Store failed” messages, podcasts that won’t download etc. 

The logs do not show any blocked requests. Enabling or disabling blocklists and other features seem to have no real effect. Explicitly whitelisting tens of Apple (sub)domains also does not solve the problem.

If a site or service fails to load, I retry many times. Sometimes by the 5th, sometimes by the 50th try the requests succeeds. Sometimes even retries do not help.  

One method that always works is disabling NextDNS. From that moment onwards, requests to Apple services resume to work immediately. 

On Reddit I’ve seen multiple people reporting the same issue: https://reddit.com/r/nextdns/comments/vqi7zz/issues_reaching_apple_services_like_app_store/

52 replies

null
    • TechFan
    • 2 yrs ago
    • Reported - view

    Hello everyone,

    I also wanted to share some relevant info.

    Just to be explicit, I experienced **the “update all [apps]” button not working as expected in App Store**. App-update-indicator keep spinning and spinning and eventually stop not having updated anything. Confusingly, one can update single apps one by one manually, but not via the update all app. 😶

    I also started with my filters, but there wasn’t really going on anything special besides an occasional ad query coming from inside the App Store (so I assume), changing the filters did not fix the problem.

    I stumbled on (older) references to EDNS under the config\performance where I started to experiment with different combinations of these switches.

    ! Warning for skimmers: messing with these dns settings will take at least 5 minutes to propagate so the dns cache records expire so your changes will not always effect your device real-time.

    My working hypothesis is that the switch *Cache-boost* can be a work around. What the *true* reason for this relative new undesired (iOS) behaviour is, remains to be seen, but turning off the cache boost resulted in me being able to update-all apps again.

    I use the app and have a dedicated profile for iOS devices.

    If you choose to test, do this:

    Put everything the way you like again. All bells and whistles you no Apple domain in exception or block list.

    **Disable cache-boost**; you may leave edns and flattening enabled. 

    In my case I had the beta threat intelligence disabled.  
     

    Set a timer for 5 minutes and wait.

    After 5 minutes, go to app store. Touch your initials, drag down to refresh update page. Press update all. 
     

    I have witnessed succes a few times, but it is limited to the number of devs pushing new updates. **I need more data**. Feel free to share.

    Hopefully this helps and aid NextDNS in figuring out what is going on. ✌️

    P.s. Cache-boost is a good feature because TTL of 5 seconds have downsides, but in this case - for assumed fixing purposes - I accept it disabled. I do not recommend this for shared NextDNS-profiles for other devices, only for test-fixing iOS. 
     

      • TechFan
      • 2 yrs ago
      • Reported - view

      TechFan Cannot edit my post any more.

      Update: 4 out of 5 tests were successful with cache-boost off and updated apps successfully like they used to.

      Too high TTL might be a factor, but I am starting to doubt disabling cache-boost as a viable work-around.

      I will keep testing.

      I can confirm though, if I disable the NextDNS app and press "Update All", everything updates immediately, like posters above me also pointed out.

      • Leo_Kennis
      • 2 yrs ago
      • Reported - view

      TechFan to be honest, there are multiple settings that when I disable them then seem to make everything work again. For 30 minutes. Then it’s broken again.
      It might just be a “placebo effect”: even if I would not have changed any settings, due to the randomness of Apple stuff failing and then working a request was bound to suddenly temporarily work again. But as I was tinkering with NextDNS, I attribute it working again to the tinkering instead. 

      This evening the final straw broke this camel’s back. After a busy day I wanted to watch an iTunes movie on my Apple TV  together with my wife but I had to reboot the Apple TV twice and after that force kill the TV app once more before the movie finally loaded. It ate 15 minutes of our movie watching time and made me grumpy.

      Due to this bug the “wife acceptance factor” of NextDNS is at an all time low.


      For now I switched to the AdGuard DNS beta. It’s worse than NextDNS (less blocklists and features) but hey, actually it’s better because it lets me do stuff online as opposed to NextDNS…and that’s what a DNS should be for…

      I’m honestly sad because I’ve lived NextDNS since the beginning and have evangelized it on multiple occasions. Now I cannot do that anymore in good conscience. 
       

      • NextDNs
      • 2 yrs ago
      • Reported - view

      Leo Kennis for a failing apple domain, would you be able to provide its dig output with and without nextdns?

      • Leo_Kennis
      • 2 yrs ago
      • Reported - view

      NextDNS I tried this link: https://tv.apple.com/us/show/severance/umc.cmc.1srk2goyh2q2zdxcx605w8vtx

      On a Mac it should open the TV app showing the series "Severance".

      NextDNS:

      dig output:

      [~] dig https://tv.apple.com/us/show/severance/umc.cmc.1srk2goyh2q2zdxcx605w8vtx
      
      ; <<>> DiG 9.10.6 <<>> https://tv.apple.com/us/show/severance/umc.cmc.1srk2goyh2q2zdxcx605w8vtx
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20405
      ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
      
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 1232
      ;; QUESTION SECTION:
      ;https://tv.apple.com/us/show/severance/umc.cmc.1srk2goyh2q2zdxcx605w8vtx. IN A
      
      ;; AUTHORITY SECTION:
      .            1721    IN    SOA    a.root-servers.net. nstld.verisign-grs.com. 2022071802 1800 900 604800 86400
      
      ;; Query time: 112 msec
      ;; SERVER: 192.0.2.42#53(192.0.2.42)
      ;; WHEN: Tue Jul 19 09:07:29 CEST 2022
      ;; MSG SIZE  rcvd: 176

      The "SERVER" section looks weird (192... IP) - I set NextDNS in my router and via the NextDNS app on my MacBook.

      Actual result: see screenshot, translated something like "content is not available"

      AdGuard DNS:

      dig output:

      [~] dig https://tv.apple.com/us/show/severance/umc.cmc.1srk2goyh2q2zdxcx605w8vtx
      
      ; <<>> DiG 9.10.6 <<>> https://tv.apple.com/us/show/severance/umc.cmc.1srk2goyh2q2zdxcx605w8vtx
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33377
      ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
      
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 4096
      ;; QUESTION SECTION:
      ;https://tv.apple.com/us/show/severance/umc.cmc.1srk2goyh2q2zdxcx605w8vtx. IN A
      
      ;; AUTHORITY SECTION:
      .            1745    IN    SOA    a.root-servers.net. nstld.verisign-grs.com. 2022071802 1800 900 604800 86400
      
      ;; Query time: 81 msec
      ;; SERVER: 94.140.14.49#53(94.140.14.49)
      ;; WHEN: Tue Jul 19 09:07:57 CEST 2022
      ;; MSG SIZE  rcvd: 176

      The only real difference is the number after "udp" which I assume is a port?

      Actual result: see screenshot, I can watch Severance now.

      • NextDNs
      • 2 yrs ago
      • Reported - view

      Leo Kennis please only give tv.apple.com as argument to dig, not the full URL.

      • Leo_Kennis
      • 2 yrs ago
      • Reported - view

      NextDNS Ok.

      NextDNS:


      [/] dig tv.apple.com ; <<>> DiG 9.10.6 <<>> tv.apple.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65356 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;tv.apple.com. IN A ;; ANSWER SECTION: tv.apple.com. 284 IN CNAME itunes-cdn.itunes-apple.com.akadns.net. itunes-cdn.itunes-apple.com.akadns.net. 2933 IN CNAME itunes.apple.com.edgekey.net. itunes.apple.com.edgekey.net. 5130 IN CNAME e673.dsce9.akamaiedge.net. e673.dsce9.akamaiedge.net. 16 IN A 23.222.18.39 ;; Query time: 1037 msec ;; SERVER: 192.0.2.42#53(192.0.2.42) ;; WHEN: Tue Jul 19 16:43:05 CEST 2022 ;; MSG SIZE  rcvd: 184

      AdGuard DNS:

      [/] dig tv.apple.com
      
      ; <<>> DiG 9.10.6 <<>> tv.apple.com
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34092
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
      
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 4096
      ;; QUESTION SECTION:
      ;tv.apple.com. IN A
      
      ;; ANSWER SECTION:
      tv.apple.com. 126 IN CNAME itunes-cdn.itunes-apple.com.akadns.net.
      itunes-cdn.itunes-apple.com.akadns.net. 2241 IN CNAME itunes.apple.com.edgekey.net.
      itunes.apple.com.edgekey.net. 21371 IN CNAME e673.dsce9.akamaiedge.net.
      e673.dsce9.akamaiedge.net. 42 IN A 72.246.168.25
      
      ;; Query time: 195 msec
      ;; SERVER: 94.140.14.49#53(94.140.14.49)
      ;; WHEN: Tue Jul 19 16:43:51 CEST 2022
      ;; MSG SIZE  rcvd: 184
      

      So do I see correctly that both DNS servers return a different IP for "e673.dsce9.akamaiedge.net"?

      • NextDNs
      • 2 yrs ago
      • Reported - view

      Leo Kennis the first CNAME leads to different akamai location. First is amsterdam, second is frankfurt. That’s not unexpected.

      Can you please add a rewrite with this hostname and the second IP and see if you are still experiencing the issue to validate this is the problem?

      A traceroute to both IPs would be interesting too if possible.

      • TechFan
      • 2 yrs ago
      • Reported - view

      NextDNS - Just unpacking the compound instructions.

      NextDNS asks to go to NextDNS settings' settings tab, header 'Rewrite(s)' and add:
      tv.apple.com with Adguards' resolved ip of 'tv.apple.com': 72.246.168.25 (or the most recent IP by Adguards DNS's resolution.)

      And then open the url to open the TV app again to see if it works now.

      ---

      I think, to test this correctly, one should recreate the error, prior to rewriting the domainname in NextDNS, to exclude the passage of time already having changed the situation again, like Leo also shared.

      • Leo_Kennis
      • 2 yrs ago
      • Reported - view

      NextDNS Hi, for the "rewrite" can you explain in a little more detail what you mean?

      For the tracerouters:

      To NextDNS resolved IP 23.222.18.39:

      [~] traceroute -I 23.222.18.39
      traceroute to 23.222.18.39 (23.222.18.39), 64 hops max, 72 byte packets
      1  192.168.0.1 (192.168.0.1)  9.405 ms  7.294 ms  5.471 ms
      2  31-151-45-1.dynamic.upc.nl (31.151.45.1)  23.604 ms  20.450 ms  15.337 ms
      3  212.142.53.249 (212.142.53.249)  13.912 ms  22.182 ms  16.739 ms
      4  asd-tr0021-cr101-be110-2.core.as33915.net (213.51.7.84)  21.772 ms  17.030 ms  18.320 ms
      5  nl-ams14a-ri1-ae51-0.core.as9143.net (213.51.64.186)  17.231 ms  16.524 ms  19.911 ms
      6  213.46.182.38 (213.46.182.38)  22.520 ms  22.767 ms  24.723 ms
      7  ae0.cr3-ams2.ip4.gtt.net (89.149.182.74)  17.824 ms  24.987 ms  21.391 ms
      8  ip4.gtt.net (213.254.197.138)  18.271 ms  23.868 ms  26.259 ms
      9  a23-222-18-39.deploy.static.akamaitechnologies.com (23.222.18.39)  28.252 ms  22.767 ms  24.515 ms
      

      To AdGuard DNS  resolved IP 72.246.168.25:

      [~] traceroute -I 72.246.168.25
      traceroute to 72.246.168.25 (72.246.168.25), 64 hops max, 72 byte packets
      1  192.168.0.1 (192.168.0.1)  6.480 ms  4.901 ms  5.103 ms
      2  31-151-45-1.dynamic.upc.nl (31.151.45.1)  19.330 ms  14.521 ms  16.869 ms
      3  212.142.54.249 (212.142.54.249)  13.637 ms  12.878 ms  17.663 ms
      4  asd-rc0001-cr101-be110-2.core.as33915.net (213.51.7.82)  16.142 ms  15.686 ms  20.497 ms
      5  nl-ams09c-ri1-ae50-0.core.as9143.net (213.51.64.62)  29.991 ms  14.347 ms  19.510 ms
      6  ae14-209.rt.tc2.ams.nl.retn.net (87.245.246.18)  22.864 ms  20.688 ms  26.455 ms
      7  ae2-10.rt.eqx.fkt.de.retn.net (87.245.234.112)  21.456 ms  25.965 ms  23.380 ms
      8  87.245.214.163 (87.245.214.163)  27.526 ms  28.516 ms  25.650 ms
      9  a72-246-168-25.deploy.static.akamaitechnologies.com (72.246.168.25)  22.381 ms  29.462 ms  19.708 ms
      
      • TechFan
      • 2 yrs ago
      • Reported - view

      Leo Kennis they want you to overwrite your NextDNS' DNS response with the IP of Adguard DNS by adding an entry of 'tv.apple.com' in Rewrites [Herschrijvingen] section in your my.nextdns.io account settings.

      Then, when you Mac resolves tv.apple.com via your NextDNS DNS by opening your testcase url https://tv.apple.com/us/show/severance/umc.cmc.1srk2goyh2q2zdxcx605w8vtx again, it will return the same ip as AdGuard DNS will.

      • Leo_Kennis
      • 2 yrs ago
      • Reported - view

      TechFan ah okay…as it’s unpredictable at what time which Apple url will fail I’ll need to invest some time in to that. 

    • TechFan
    • 2 yrs ago
    • Reported - view

    @NextDNS @leo_kennis

    Do you have an position on IPv4 and IPv6 in relation to this topic? Would this behaviour be explained by not having IPv6 ips assigned to clients? (tv.apple.com resolves to 4 AAAA records and 1 A record.) 

    Feel free to ignore if irrelevant, just trying to get more info shared.

    I can see one of the posters has a IPv6 address in the test output, so this might be one we can exclude in "House's differential diagnosis". 

    • Leo_Kennis
    • 2 yrs ago
    • Reported - view

    @NextDNS can you give me a % chance this issue will be resolved? If not, please save me from having to check this topic again and again without any progress made. I will just switch to another DNS provider permanently...

    • Joost
    • 2 yrs ago
    • Reported - view

    @NextDNS exactly the same issue. Me and some of my friends which also use NextDNS are about to leave NextDNS as well. 
    Every solution seem not working and this is ongoing for at least 2-3 months now. It gets way to annoying. 
    NextDNS please fix it. I loved how it works and this gonna cost you guys a huge amount of users. 

      • aqua_airplane
      • 1 yr ago
      • Reported - view

       I’m glad to know I’m not the only one thinking about it, everyone with shares at this company is gone 

    • TechFan
    • 2 yrs ago
    • Reported - view

    Perhaps the NextDNS app can be expanded with an additional feedback mechanism? Or perhaps even local logs to consult. It is a hard to debug.

    As a test, nowadays, in the iOS NextDNS app, I switch off the custom ID switch, effectively disabling most of the custom configuration, but keeping NextDNS DOH on.

    No conclusive results yet.

    • Mika
    • 2 yrs ago
    • Reported - view

    Disabling 

    Cryptojacking Protection

    Prevent the unauthorized use of your devices to mine cryptocurrency.

    Resolved the issue 

      • TechFan
      • 2 yrs ago
      • Reported - view

      Hey Mika,  would mind reporting back after a few days if your solution persist?
      This thread's solution has proven to be difficult to truly confirm because of actions that have a temporary effect.

      • aqua_airplane
      • 1 yr ago
      • Reported - view

      it didn't resolve the issue if now you don't have crypto mining prevention

    • Roberto.1
    • 1 yr ago
    • Reported - view

    I started having this problem a few days ago, and it's quite annoying. No solution has been found so far?

    • cbo64
    • 1 yr ago
    • Reported - view

    i've had this problem too. Thanks @Mika, disabling the Cryptojacking Protection fixed the problem.

    • Leo_Kennis
    • 1 yr ago
    • Reported - view

    Since a few weeks this problem returned for me after having been gone for a year. 
     

    Possibly disabling the cryptojacking switch would’ve solved it. Or not. Or temporarily. Who knows?

     

    Now however I’ve switched to AdGuard DNS in the hopes that’s a service I do not need to babysit to prevent stuff from working. 

      • aqua_airplane
      • 1 yr ago
      • Reported - view

       word this nextdns seems that purchased by a vc or the main engineers shares vested and they gone, it feels like using a microsoft product, promises,bugs, and thr void 

    • aqua_airplane
    • 1 yr ago
    • Reported - view

    so the trick is replacing your dns with quad nine? or do you also own quad nine?

    • rediguana
    • 10 mths ago
    • Reported - view

    Only recently started using NextDNS in the past few days and having exactly this problem. Blocks don't show in logs, but a lot of Apple services are blocked. Have tried whitelisting apple domains. Any updates on a resolution to this problem? I've found the only reliable solution is to point the network DHCP DNS servers back to Cloudflares (1.1.1.1, 1.0.0.1).

Content aside

  • 9 Likes
  • 7 mths agoLast active
  • 52Replies
  • 2087Views
  • 18 Following