Spotify for iOS not working?

cvo · June 10, 2017, 2:00am

Hi All,

I have Spotify for iOS (latest version) on several iOS devices and I've had all of these domains whitelisted for a while. It appears that it's recently just broken however; I've tried on both premium and free Spotify accounts.

Spotify domains in my whitelist:

I've also tried whitelisting (to no avail) these domains that were piholed around the same timeframe in the logs:

I've also gone ahead and made a debug token: xotqeb7668

Any ideas?
Thank you!

jacob.salmela · June 10, 2017, 3:43pm

Did you make sure the cache expired? iOS is pretty aggressive with caching and I don't know of a way to flush it besides flipping the app up into oblivion after double-clicking the home button.

cvo · June 10, 2017, 4:04pm

Thanks for the reply back! Yeah I've tried on different devices; I even installed Spotify on a new device and made a new free account. I've tried rebooting, forgetting and rejoining my wifi, rebooting the pi, and updating pihole gravity.
When I go to add the usual fix "spclient.wg.spotify.com" pihole confirms it's already in there and that it doesn't need to do anything. I've had the "spclient.wg.spotify.com" domain in my whitelist for a while and it did appear to be working but isn't now.

cvo · June 10, 2017, 4:11pm

A bit more info that may be helpful...

This is what I get from the terminal; so it doesn't appear to be resolving?

~$ nslookup spclient.wg.spotify.com
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
Name:	spclient.wg.spotify.com
Address: 0.0.0.0

I am using a couple of DNSCrypt servers; possible / probable that they're filtering or dropping the request?

Servers used:

CS-USNorth
CS-USSouth

Testing DNSCrypt seems to work:
~ $ sudo systemctl status -l dnscrypt-proxy@*
● dnscrypt-proxy@cs-usnorth.service - DNSCrypt client proxy
Loaded: loaded (/lib/systemd/system/dnscrypt-proxy@.service; enabled)
Active: active (running) since Fri 2017-06-09 21:42:30 CDT; 13h ago
Docs: man:dnscrypt-proxy(8)
Main PID: 601 (dnscrypt-proxy)
CGroup: /system.slice/system-dnscrypt\x2dproxy.slice/dnscrypt-proxy@cs-usnorth.service
└─601 /usr/local/sbin/dnscrypt-proxy /usr/local/etc/dnscrypt-proxy.conf --resolver-name=cs-usnorth --user=dnscrypt

Jun 10 09:53:30 raspi-hole dnscrypt-proxy[601]: Sat Jun 10 09:53:30 2017 [INFO] This certificate is valid
Jun 10 09:53:30 raspi-hole dnscrypt-proxy[601]: Sat Jun 10 09:53:30 2017 [INFO] Chosen certificate #808464433 is valid from [2016-11-03] to [2026-11-01]
Jun 10 09:53:30 raspi-hole dnscrypt-proxy[601]: Sat Jun 10 09:53:30 2017 [INFO] The key rotation period for this server may exceed the recommended value. This is bad for forward secrecy.
Jun 10 09:53:30 raspi-hole dnscrypt-proxy[601]: Sat Jun 10 09:53:30 2017 [INFO] Server key fingerprint is BAB8:591D:F2F8:10AA:362E:6CF9:AB91:3573:1EA9:AD44:20D5:6A3F:492E:5083:C435:5236
Jun 10 10:54:34 raspi-hole dnscrypt-proxy[601]: Sat Jun 10 10:54:34 2017 [INFO] Refetching server certificates
Jun 10 10:54:34 raspi-hole dnscrypt-proxy[601]: Sat Jun 10 10:54:34 2017 [INFO] Server certificate with serial '0001' received
Jun 10 10:54:34 raspi-hole dnscrypt-proxy[601]: Sat Jun 10 10:54:34 2017 [INFO] This certificate is valid
Jun 10 10:54:34 raspi-hole dnscrypt-proxy[601]: Sat Jun 10 10:54:34 2017 [INFO] Chosen certificate #808464433 is valid from [2016-11-03] to [2026-11-01]
Jun 10 10:54:34 raspi-hole dnscrypt-proxy[601]: Sat Jun 10 10:54:34 2017 [INFO] The key rotation period for this server may exceed the recommended value. This is bad for forward secrecy.
Jun 10 10:54:34 raspi-hole dnscrypt-proxy[601]: Sat Jun 10 10:54:34 2017 [INFO] Server key fingerprint is BAB8:591D:F2F8:10AA:362E:6CF9:AB91:3573:1EA9:AD44:20D5:6A3F:492E:5083:C435:5236

● dnscrypt-proxy@cs-ussouth.service - DNSCrypt client proxy
   Loaded: loaded (/lib/systemd/system/dnscrypt-proxy@.service; enabled)
   Active: active (running) since Fri 2017-06-09 21:42:31 CDT; 13h ago
     Docs: man:dnscrypt-proxy(8)
 Main PID: 605 (dnscrypt-proxy)
   CGroup: /system.slice/system-dnscrypt\x2dproxy.slice/dnscrypt-proxy@cs-ussouth.service
           └─605 /usr/local/sbin/dnscrypt-proxy /usr/local/etc/dnscrypt-proxy.conf --resolver-name=cs-ussouth --user=dnscrypt

Jun 10 09:53:16 raspi-hole dnscrypt-proxy[605]: Sat Jun 10 09:53:16 2017 [INFO] This certificate is valid
Jun 10 09:53:16 raspi-hole dnscrypt-proxy[605]: Sat Jun 10 09:53:16 2017 [INFO] Chosen certificate #808464433 is valid from [2016-11-03] to [2026-11-01]
Jun 10 09:53:16 raspi-hole dnscrypt-proxy[605]: Sat Jun 10 09:53:16 2017 [INFO] The key rotation period for this server may exceed the recommended value. This is bad for forward secrecy.
Jun 10 09:53:16 raspi-hole dnscrypt-proxy[605]: Sat Jun 10 09:53:16 2017 [INFO] Server key fingerprint is BAB8:591D:F2F8:10AA:362E:6CF9:AB91:3573:1EA9:AD44:20D5:6A3F:492E:5083:C435:5236
Jun 10 10:53:24 raspi-hole dnscrypt-proxy[605]: Sat Jun 10 10:53:24 2017 [INFO] Refetching server certificates
Jun 10 10:53:24 raspi-hole dnscrypt-proxy[605]: Sat Jun 10 10:53:24 2017 [INFO] Server certificate with serial '0001' received
Jun 10 10:53:24 raspi-hole dnscrypt-proxy[605]: Sat Jun 10 10:53:24 2017 [INFO] This certificate is valid
Jun 10 10:53:24 raspi-hole dnscrypt-proxy[605]: Sat Jun 10 10:53:24 2017 [INFO] Chosen certificate #808464433 is valid from [2016-11-03] to [2026-11-01]
Jun 10 10:53:24 raspi-hole dnscrypt-proxy[605]: Sat Jun 10 10:53:24 2017 [INFO] The key rotation period for this server may exceed the recommended value. This is bad for forward secrecy.
Jun 10 10:53:24 raspi-hole dnscrypt-proxy[605]: Sat Jun 10 10:53:24 2017 [INFO] Server key fingerprint is BAB8:591D:F2F8:10AA:362E:6CF9:AB91:3573:1EA9:AD44:20D5:6A3F:492E:5083:C435:5236

jacob.salmela · June 10, 2017, 4:32pm

So it's not just limited to iOS?

You can change your upstream servers for a quick test to verify that.

Can you also try a pihole -t and then open Spotify just to see if there is any additional Spotify domains that are getting blocked?

Also, when you say it's broken can you be more specific? Is it that the app won't load or certain images don't show, or ads are not blocked?

cvo · June 10, 2017, 4:37pm

Okay so some quick digging it does appear to be an issue with us-csnorth and us-cssouth not resolving "spclient.wg.spotify.com"

Any ideas why they wouldn't be?

pi@raspi-hole:~ $ nslookup spclient.wg.spotify.com 173.234.56.115
Server:		173.234.56.115
Address:	173.234.56.115#53

Non-authoritative answer:
Name:	spclient.wg.spotify.com
Address: 0.0.0.0

pi@raspi-hole:~ $ nslookup github.com 173.234.56.115
Server:		173.234.56.115
Address:	173.234.56.115#53

Non-authoritative answer:
Name:	github.com
Address: 192.30.253.113
Name:	github.com
Address: 192.30.253.112

pi@raspi-hole:~ $ nslookup spclient.wg.spotify.com 70.32.38.67
Server:		70.32.38.67
Address:	70.32.38.67#53

Non-authoritative answer:
Name:	spclient.wg.spotify.com
Address: 0.0.0.0

pi@raspi-hole:~ $ nslookup github.com 70.32.38.67
Server:		70.32.38.67
Address:	70.32.38.67#53

Non-authoritative answer:
Name:	github.com
Address: 192.30.253.113
Name:	github.com
Address: 192.30.253.112

As far as broken goes: Home, Browse, and Radio tabs on the app say "An error occurred Try Again"

Here's the "pihole -t" log of force closing and reopening the spotify app:
pi@raspi-hole:~ $ pihole -t
Press Ctrl-C to exit
Jun 10 11:33:47 dnsmasq[16601]: query[AAAA] f7f8ec90-a4a0-b4b0-6f74-f0c4fb0cc37f.local from 192.168.23.110
Jun 10 11:33:47 dnsmasq[16601]: cached f7f8ec90-a4a0-b4b0-6f74-f0c4fb0cc37f.local is NXDOMAIN
Jun 10 11:33:52 dnsmasq[16601]: query[A] f7f8ec90-a4a0-b4b0-6f74-f0c4fb0cc37f.local from 192.168.23.110
Jun 10 11:33:52 dnsmasq[16601]: cached f7f8ec90-a4a0-b4b0-6f74-f0c4fb0cc37f.local is NXDOMAIN
Jun 10 11:33:52 dnsmasq[16601]: query[AAAA] f7f8ec90-a4a0-b4b0-6f74-f0c4fb0cc37f.local from 192.168.23.110
Jun 10 11:33:52 dnsmasq[16601]: cached f7f8ec90-a4a0-b4b0-6f74-f0c4fb0cc37f.local is NXDOMAIN
Jun 10 11:34:17 dnsmasq[16601]: query[A] f7f8ec90-a4a0-b4b0-6f74-f0c4fb0cc37f.local from 192.168.23.110
Jun 10 11:34:17 dnsmasq[16601]: cached f7f8ec90-a4a0-b4b0-6f74-f0c4fb0cc37f.local is NXDOMAIN
Jun 10 11:34:17 dnsmasq[16601]: query[AAAA] f7f8ec90-a4a0-b4b0-6f74-f0c4fb0cc37f.local from 192.168.23.110
Jun 10 11:34:17 dnsmasq[16601]: cached f7f8ec90-a4a0-b4b0-6f74-f0c4fb0cc37f.local is NXDOMAIN
Jun 10 11:34:23 dnsmasq[16601]: query[A] f7f8ec90-a4a0-b4b0-6f74-f0c4fb0cc37f.local from 192.168.23.110
Jun 10 11:34:23 dnsmasq[16601]: cached f7f8ec90-a4a0-b4b0-6f74-f0c4fb0cc37f.local is NXDOMAIN
Jun 10 11:34:23 dnsmasq[16601]: query[AAAA] f7f8ec90-a4a0-b4b0-6f74-f0c4fb0cc37f.local from 192.168.23.110
Jun 10 11:34:23 dnsmasq[16601]: cached f7f8ec90-a4a0-b4b0-6f74-f0c4fb0cc37f.local is NXDOMAIN
Jun 10 11:34:25 dnsmasq[16601]: query[A] googleapis.l.google.com from 192.168.23.110
Jun 10 11:34:25 dnsmasq[16601]: forwarded googleapis.l.google.com to 127.10.10.2
Jun 10 11:34:25 dnsmasq[16601]: forwarded googleapis.l.google.com to 127.10.10.1
Jun 10 11:34:25 dnsmasq[16601]: reply googleapis.l.google.com is 172.217.9.74
Jun 10 11:34:25 dnsmasq[16601]: reply googleapis.l.google.com is 216.58.192.234
Jun 10 11:34:25 dnsmasq[16601]: reply googleapis.l.google.com is 172.217.8.170
Jun 10 11:34:25 dnsmasq[16601]: reply googleapis.l.google.com is 216.58.216.74
Jun 10 11:34:25 dnsmasq[16601]: reply googleapis.l.google.com is 172.217.4.106
Jun 10 11:34:25 dnsmasq[16601]: reply googleapis.l.google.com is 172.217.9.42
Jun 10 11:34:25 dnsmasq[16601]: reply googleapis.l.google.com is 172.217.8.202
Jun 10 11:34:25 dnsmasq[16601]: reply googleapis.l.google.com is 172.217.0.10
Jun 10 11:34:25 dnsmasq[16601]: query[A] intercom.io from 192.168.23.110
Jun 10 11:34:25 dnsmasq[16601]: /etc/pihole/gravity.list intercom.io is 192.168.23.140
Jun 10 11:34:31 dnsmasq[16601]: query[A] settings.crashlytics.com from 192.168.23.110
Jun 10 11:34:31 dnsmasq[16601]: forwarded settings.crashlytics.com to 127.10.10.1
Jun 10 11:34:31 dnsmasq[16601]: reply settings.crashlytics.com is
Jun 10 11:34:31 dnsmasq[16601]: reply settings-crashlytics-1410998606.us-east-1.elb.amazonaws.com is 50.19.220.208
Jun 10 11:34:31 dnsmasq[16601]: reply settings-crashlytics-1410998606.us-east-1.elb.amazonaws.com is 23.23.114.1
Jun 10 11:34:31 dnsmasq[16601]: reply settings-crashlytics-1410998606.us-east-1.elb.amazonaws.com is 23.23.235.188
Jun 10 11:34:31 dnsmasq[16601]: reply settings-crashlytics-1410998606.us-east-1.elb.amazonaws.com is 54.225.217.126
Jun 10 11:34:31 dnsmasq[16601]: reply settings-crashlytics-1410998606.us-east-1.elb.amazonaws.com is 23.23.122.193
Jun 10 11:34:31 dnsmasq[16601]: reply settings-crashlytics-1410998606.us-east-1.elb.amazonaws.com is 54.225.215.77
Jun 10 11:34:31 dnsmasq[16601]: reply settings-crashlytics-1410998606.us-east-1.elb.amazonaws.com is 54.225.163.100
Jun 10 11:34:31 dnsmasq[16601]: reply settings-crashlytics-1410998606.us-east-1.elb.amazonaws.com is 50.16.218.218
Jun 10 11:34:31 dnsmasq[16601]: query[A] market.spotify.com from 192.168.23.110
Jun 10 11:34:31 dnsmasq[16601]: forwarded market.spotify.com to 127.10.10.1
Jun 10 11:34:31 dnsmasq[16601]: query[A] e.crashlytics.com from 192.168.23.110
Jun 10 11:34:31 dnsmasq[16601]: /etc/pihole/gravity.list e.crashlytics.com is 192.168.23.140
Jun 10 11:34:31 dnsmasq[16601]: reply market.spotify.com is
Jun 10 11:34:31 dnsmasq[16601]: reply weblb-wg.dual-gslb.spotify.com is 104.154.127.47
Jun 10 11:34:32 dnsmasq[16601]: query[AAAA] ash2-accesspoint-a60.ap.spotify.com from 192.168.23.110
Jun 10 11:34:32 dnsmasq[16601]: forwarded ash2-accesspoint-a60.ap.spotify.com to 127.10.10.1
Jun 10 11:34:32 dnsmasq[16601]: reply ash2-accesspoint-a60.ap.spotify.com is NODATA-IPv6
Jun 10 11:34:32 dnsmasq[16601]: query[A] ash2-accesspoint-a60.ap.spotify.com from 192.168.23.110
Jun 10 11:34:32 dnsmasq[16601]: forwarded ash2-accesspoint-a60.ap.spotify.com to 127.10.10.1
Jun 10 11:34:32 dnsmasq[16601]: reply ash2-accesspoint-a60.ap.spotify.com is 193.235.32.196
Jun 10 11:34:32 dnsmasq[16601]: query[A] f7f8ec90-a4a0-b4b0-6f74-f0c4fb0cc37f.local from 192.168.23.110
Jun 10 11:34:32 dnsmasq[16601]: cached f7f8ec90-a4a0-b4b0-6f74-f0c4fb0cc37f.local is NXDOMAIN
Jun 10 11:34:32 dnsmasq[16601]: query[AAAA] f7f8ec90-a4a0-b4b0-6f74-f0c4fb0cc37f.local from 192.168.23.110
Jun 10 11:34:32 dnsmasq[16601]: cached f7f8ec90-a4a0-b4b0-6f74-f0c4fb0cc37f.local is NXDOMAIN
Jun 10 11:34:33 dnsmasq[16601]: query[A] 83d6fcdaf7d2582d-0.local from 192.168.23.110
Jun 10 11:34:33 dnsmasq[16601]: cached 83d6fcdaf7d2582d-0.local is NXDOMAIN
Jun 10 11:34:33 dnsmasq[16601]: query[AAAA] 83d6fcdaf7d2582d-0.local from 192.168.23.110
Jun 10 11:34:33 dnsmasq[16601]: cached 83d6fcdaf7d2582d-0.local is NXDOMAIN
Jun 10 11:34:33 dnsmasq[16601]: query[A] udm.scorecardresearch.com from 192.168.23.110
Jun 10 11:34:33 dnsmasq[16601]: /etc/pihole/gravity.list udm.scorecardresearch.com is 192.168.23.140
Jun 10 11:34:33 dnsmasq[16601]: query[A] sb.scorecardresearch.com from 192.168.23.110
Jun 10 11:34:33 dnsmasq[16601]: /etc/pihole/gravity.list sb.scorecardresearch.com is 192.168.23.140

cvo · June 10, 2017, 7:31pm

I swapped out these DNSCrypt resolvers:

us-csnorth
us-cssouth

For these:

d0wn-us-ns1
d0wn-us-ns2

And the app works again (and I gained DNSSEC). Hopefully this helps out anyone else and raises some awareness to whatever censorship cryptostorm.is is running.