Tutorial

Sonos & Pi-hole

  • 10 June 2022
  • 8 replies
  • 3493 views
Sonos & Pi-hole
Userlevel 7
Badge +18

​Hi Everyone!

Due to some recent difficulties I had getting Sonos Voice Control installed on my system because of the presence of Pi-hole on my network, I thought it might be useful to some to write an article on what the problem was, why it happened, and how I fixed it. There are quite a few technical terms here, so I have included some Wiki links.

If you already have Pi-hole installed and running, and understand what it does, you can skip the hidden section below.

What is Pi-hole?

Pi-hole is a piece of open-source software which blocks ads for all devices on your network by acting as a DNS Sink(hole). Pi-hole runs on the Linux operating system which can be controlled via another computer (or phone/tablet) using a terminal emulator. Because Pi-hole needs no GUI (Graphical User Interface), it is often installed on a minimal, CLI-only (Command Line Interface) version of Linux such as Armbian Linux or Raspberry Pi’s Rasbian.

 

Personally, I keep a dedicated device for running Pi-hole to minimise latency and maximise stability due to the lack of other software installed - the fewer applications a computer runs, the more stable and responsive it will be.

 

During setup, you give the device a static IP address on your network, then configure your router to provide Pi-hole’s IP address as the DNS (Domain Name System) server that all devices connecting to your network using DHCP (Dynamic Host Configuration Protocol) will use. 

 

DNS servers convert human-friendly addresses such as sonos.com into computer friendly IP addresses like 2.22.108.216 (the IP address of sonos.com). Pi-hole checks these requests against a list of known ad servers - if there's a match, Pi-hole returns a null IP of 0.0.0.0 (this is the sink in DNS Sink) and the requesting device is unable to show the ad and carries on with its other tasks. If there is no match, Pi-hole forwards the request on to a internet-based DNS server of your choice (the choice made during setup), the IP is resolved, passed to Pi-hole and Pi-hole relays it to the requesting device, allowing it to communicate with (that part of) the internet.

 

For anyone looking for an installation guide, I personally followed this YouTube video from Craft Computing and found it very helpful:

You're running Pi-Hole wrong! Setting up your own Recursive DNS Server!

 

Sonos & Pi-hole

I experienced two problems relating to Sonos and Pi-hole:

  1. When Sonos Radio was released, I was given no option to purchase a subscription in the Sonos app

  2. When I was allowed an early peek at Sonos Voice Control, it was not listed as an option in the Sonos app, so I was unable to install it to my compatible, voice-enabled Sonos speakers.

But more issues could easily arise, if not for the simple adjustments I made to Pi-hole’s configuration. Problem 1 was solved by adding sonos.com to the Pi-hole whitelist, and problem 2 was solved by adding optimizely.com to the whitelist.

 

bo4zNAMKUWfVvizoDtFhl5gRjmgmsJj7topAAOEbCMdHQciqUZ4ZEwLfrOo3-kdn5TSkqwz29nQVij1jmaSoYp_p0t-xDB8Dp5zEcCZTrCCPh_Me0DgRZl9rkq31gmFUzimQfHv4ZAlfVyxHrg​ 

 

In the Pi-hole configuration page, go to the Whitelist section on the left.

  1. Type sonos.com into the Domain box. Optionally, add a Comment.

  2. Mark the Add domain as wildcard check box

  3. Click Add to whitelist

  4. Repeat for optimizely.com

You’ll now have two entries as shown. Don’t worry about the fact that they look a little weird - they’ve been adjusted to act as wildcards, so that all sub-domains are allowed access.

tcM6s72pWxLIR7Snwh_ggAhhs-jSvck1OUxiP0hyMqMFHdjFEHKchutbS159wgYgSYZHD_f7lzVGYxri5UzW0IKgXcaPcVoraUf2pB57-h0rBaf5gkXE_XYzvTav9w9lqKW1Pt4dHo0rBQ1KcQqT_niEeDBAY7cy2muuutlQ_z2oVHgbtBLkG1VvekAQnR_G8hjQnCtjVxiyjVOgh3yCBSSlsd_oo_HwMxxVS8_6gZVsTeIEK9DUfRf5fdHeA1JiiRRkNCzWih220bqgPCk7Fa7X-XDgbhZzlrbg

If you don’t like the idea of using wildcards, you can instead whitelist the following addresses (without marking the Add domain as wildcard check box):

msmetrics.ws.sonos.com - this was added to Pi-hole’s default blocklist due to how often Sonos devices “phone home”. It is not an ad server.

logx.optimizely.com - this allows features to be enabled or disabled in the Sonos app without changes to the software

cdn.optimizely.com - this allows features to be enabled or disabled in the Sonos app without changes to the software

So far, we’ve restored functionality of the Sonos app. To allow us to gather metrics of app usage, so to better tailor your experience on the Sonos app, please also allow the following addresses:

urbanairship.com as a wildcard, or

device-api.urbanairship.com and combine.urbanairship.com as individual entries.

Summary

With that done, you should not have any problems with Pi-hole and Sonos operating on the same network, and be assured of full operability of the Sonos app and of your Sonos system. While I hope this has been helpful, please be aware that Sonos cannot offer further support on third-party software such as Pi-hole. Pi-hole’s community forums are a good place to seek further support.

Photo by Stefan Cosma on Unsplash

 


8 replies

Badge

Side-note: I’ve been having issues with Lock Screen controls for quite a while, which ended up being due to my AdGuard Home DNS server (basically does the same thing as a PiHole).

To get the lock screen controls to work, I had to whitelist ws.sonos.com instead of msmetrics.ws.sonos.com. That might prove a useful amendment to this post. Or, just an FYI.

Userlevel 7
Badge +18

Hi @zerothe2nd 

Thanks for sharing your findings! 

Userlevel 1

The entire point of running a pihole is to prevent metric tracking as well as ads. Having to add these exemptions to ensure paid products actually work properly is at best shady and at worse contemptuous.

Userlevel 7
Badge +22

If you don’t want your products to contact places on the Internet you’d be best served to not buy products that do that.

If you want to use a product that does make external connections that you don’t want you might be able to spoof them using a firewall redirect rule and a bit of coding on your side. I do that for several devices.

For the ones you don’t like, can’t spoof and need for proper operation you can carefully tailor your security solution to allow only essential communications. You should also be able to restrict the use of the connections to specific devices to minimize usage.

Worst device I own for this kind of thing is my Keurig Smart coffee maker, it has 53 sites it must be allowed to chat with. Oh, and it requires a chatty App on your phone too.

 

Pi-Hole - Sonos rules:

sonos.amazonmusic.com

(regex rule) (\.|^)sonos\.com$

Is edn.optimizely.com correct here?  Or should it be cdn.optimizely.com?

When I search edn.optimizely.comon Google, this post is the only thing that comes up.

Userlevel 7
Badge +18

Hi @forebittclash 

Yes indeed - thanks for spotting and flagging my typo! I’ll edit my post.

Thanks @Corry P ! For my pi-holes I created a group for our Sonos products and applied the whitelist settings to it, versus whitelisting for the entire network. That could help assuage concerns for the more security minded. I’d also recommend putting them in a separate IoT VLAN, but that’s a conversation for another day (especially for those with media servers, etc.).

Thanks CorryP form bringing the matter and explaining the domain functionalities.

Worthy to note that my Youtube Music service was failing to add - did not reliase that manifest.googlevideo.com was being blocked by one of the custome YT adblocking lists on my AdGuard Home setup. Added to safelist and wokred fine. Happy days.

Reply