Side-note: I’ve been having issues with Lock Screen controls for quite a while, which ended up being due to my AdGuard Home DNS server (basically does the same thing as a PiHole).
To get the lock screen controls to work, I had to whitelist ws.sonos.com instead of msmetrics.ws.sonos.com. That might prove a useful amendment to this post. Or, just an FYI.
Hi @zerothe2nd
Thanks for sharing your findings!
The entire point of running a pihole is to prevent metric tracking as well as ads. Having to add these exemptions to ensure paid products actually work properly is at best shady and at worse contemptuous.
If you don’t want your products to contact places on the Internet you’d be best served to not buy products that do that.
If you want to use a product that does make external connections that you don’t want you might be able to spoof them using a firewall redirect rule and a bit of coding on your side. I do that for several devices.
For the ones you don’t like, can’t spoof and need for proper operation you can carefully tailor your security solution to allow only essential communications. You should also be able to restrict the use of the connections to specific devices to minimize usage.
Worst device I own for this kind of thing is my Keurig Smart coffee maker, it has 53 sites it must be allowed to chat with. Oh, and it requires a chatty App on your phone too.
Pi-Hole - Sonos rules:
sonos.amazonmusic.com
(regex rule) (\.|^)sonos\.com$
Is edn.optimizely.com correct here? Or should it be cdn.optimizely.com?
When I search edn.optimizely.comon Google, this post is the only thing that comes up.
Hi @forebittclash
Yes indeed - thanks for spotting and flagging my typo! I’ll edit my post.
Thanks @Corry P ! For my pi-holes I created a group for our Sonos products and applied the whitelist settings to it, versus whitelisting for the entire network. That could help assuage concerns for the more security minded. I’d also recommend putting them in a separate IoT VLAN, but that’s a conversation for another day (especially for those with media servers, etc.).
Thanks CorryP form bringing the matter and explaining the domain functionalities.
Worthy to note that my Youtube Music service was failing to add - did not reliase that manifest.googlevideo.com was being blocked by one of the custome YT adblocking lists on my AdGuard Home setup. Added to safelist and wokred fine. Happy days.
Please update this post to adjust for the new app
Hey @Corry P, great post! Very much worth noting that your detective work applies to ANY mechanism that performs DNS filtering. @Bumper documented his challenge elsewhere in the forums and I am certain he’ll be keen to add optimizely.com to his whitelist.
And also note that a number of functions simply do not appear in the app if DNS filtering is used. I’m sure you can appreciate the immense difficulty of debugging these issues … it’s hardly intuitive to connect “why is function x missing?” to “by chance are you using privacy filtering?”
My apps seem to be working with the old Pi-Hole rules.
Once the apps are usable I probably should look into the filter settings again but I’m avoiding touching anything Sonos related until things stabilize and return to full functionality.
Hey @Corry P, great post! Very much worth noting that your detective work applies to ANY mechanism that performs DNS filtering. @Bumper documented his challenge elsewhere in the forums and I am certain he’ll be keen to add optimizely.com to his whitelist.
And also note that a number of functions simply do not appear in the app if DNS filtering is used. I’m sure you can appreciate the immense difficulty of debugging these issues … it’s hardly intuitive to connect “why is function x missing?” to “by chance are you using privacy filtering?”
Thanks for tagging me @press250 , whitelisting optimizely seems to have fixed the issue of new features not showing up with my nextdns config.
Thanks for tagging me, whitelisting optimizely seems to have fixed the issue of new features not showing up.
Touchdown @Bumper … I just needed an extra week to help solve this snafu. 
Can you tag @Corry P describe the “missing features” in this context? This behavior isn’t going to be limited to advanced users, Normal People who have turned on parental controls on their Wi-Fi router could very well end up in the same boat.
Touchdown @Bumper … I just needed an extra week to help solve this snafu.
Can you tag @Corry P describe the “missing features” in this context? This behavior isn’t going to be limited to advanced users, Normal People who have turned on parental controls on their Wi-Fi router could very well end up in the same boat.
The features not enabled when using Nextdns: alarms, sleep timers, add to end of queue, add next.
Switching to Cloudflare or google DNS on the device allows the features to appear if the app is deleted and reinstalled. Features continued to work when switched back to Nextdns. So temporarily turning off your DNS will get you the missing features no need to whitelist anything if you don’t want to.
Or Whitelisting cdn.optimizely.com as suggested in the OP by @Corry P fixed it for the above missing features as well.
Nextdns has been blocking the optimizely domain for as long as my logs go back but it’s only been an issue since the new app.
The new controller app calls at least these domains with sub domains:
ingest.sentry.io
lh3.googleusercontent.com
i.ytimg.com
sdk.iad-05.braze.com
cdn.optimizely.com
sonos.com
The new controller app calls at least these domains with sub domains:
ingest.sentry.io
lh3.googleusercontent.com
i.ytimg.com
sdk.iad-05.braze.com
cdn.optimizely.com
sonos.com
It seem that adding the following analytics domains help speed up upstart of the app (even though they doesn't seem like being called directly by the Android app):
firebase-settings.crashlytics.com
crashlyticsreports-pa.googleapis.com
In the same vein as this topic, is there any list of hostnames/subnets that are used for incoming connections?
For instance, I have Plex setup in Sonos which works great, but I’d prefer to restrict incoming Plex connections to only Sonos services (everything else uses a VPN). I can just allow the incoming connections I see on the firewall, but if any of the IPs change then it will break things and I’ll have to go back and redo everything.
I’ve looked at the query log for devices playing Plex content and none of those domains seem to relate to the incoming connections I see. Best I can limit so far is to AWS, but that’s half the internet.
In the same vein as this topic, is there any list of hostnames/subnets that are used for incoming connections?
For instance, I have Plex setup in Sonos which works great, but I’d prefer to restrict incoming Plex connections to only Sonos services (everything else uses a VPN). I can just allow the incoming connections I see on the firewall, but if any of the IPs change then it will break things and I’ll have to go back and redo everything.
I’ve looked at the query log for devices playing Plex content and none of those domains seem to relate to the incoming connections I see. Best I can limit so far is to AWS, but that’s half the internet.
Have you been through this?
I doubt Sonos are making incoming requests to your devices and the incoming you need to allow will be down to where your plex servers are surely?
https://support.plex.tv/articles/218237558-requirements-for-using-plex-for-sonos/
If your plex server is on the same lan as your Sonos devices, then according to plex the requirement is Nat loopback in your router. Or is your plex setup more complex?
In the same vein as this topic, is there any list of hostnames/subnets that are used for incoming connections?
For instance, I have Plex setup in Sonos which works great, but I’d prefer to restrict incoming Plex connections to only Sonos services (everything else uses a VPN). I can just allow the incoming connections I see on the firewall, but if any of the IPs change then it will break things and I’ll have to go back and redo everything.
I’ve looked at the query log for devices playing Plex content and none of those domains seem to relate to the incoming connections I see. Best I can limit so far is to AWS, but that’s half the internet.
Have you been through this?
I doubt Sonos are making incoming requests to your devices and the incoming you need to allow will be down to where your plex servers are surely?
https://support.plex.tv/articles/218237558-requirements-for-using-plex-for-sonos/
If your plex server is on the same lan as your Sonos devices, then according to plex the requirement is Nat loopback in your router. Or is your plex setup more complex?
Yeah; from what I’ve seen and read elsewhere, a hosted service somewhere (not sure now if it’s Plex, or Sonos-run) accesses the Plex server to obtain music data. Playback itself is local/NAT loopback but an external connection is required for the service to function. As soon as I start to browser the Plex collection, a ton of connections appear in my firewall states, and disappear when Sonos is closed out. Disabling port forwarding breaks the service.
The only workaround I’ve found so far is to use the Plex-hosted relay, which does seem to work pretty well most of the time, since playback itself is direct and not proxied. This alleviates the majority of my concerns (not wanting to leave Plex exposed in general), but would be still nice to lock things down more.
I studied a number of languages during my years as a perpetual undergraduate student — French, German, Spanish, Russian, Sanskrit.
But I have no idea what language you folks are speaking here. Am I going to need to study up on this just to make my Sonos speakers work so I can listen to music at home? If that’s the case, I’m whatcha call ‘SOL’ in vernacular American English.
I studied a number of languages during my years as a perpetual undergraduate student — French, German, Spanish, Russian, Sanskrit.
But I have no idea what language you folks are speaking here. Am I going to need to study up on this just to make my Sonos speakers work so I can listen to music at home? If that’s the case, I’m whatcha call ‘SOL’ in vernacular American English.
Not needed for Sonos but there are tweaks you can do to Pi-Hole that you might like. Not worth doing just for Sonos though, well in my opinion.
As a great fan of Pi-Hole I’d suggest you, and everyone else read up on it and install a copy on their local network. It is a DNS (Domain Name System) blocker that keeps unwanted sites (junk, tracking, malware and more) from being accessed by your computer.
Pi-hole Discourse
Free but they do accept donations, just add a Raspberry Pi or other compatible computer and do a minimal setup process and you should see a nice improvement in both speed and privacy.
@Stanley_4 : I’ve got ‘netgear armor’ running on my network. Does that perform a similar function? I also do not have ‘alexa’ or any other voice activated stuff going on and as far as I know I’ve disabled all such buzzers and bells on my Sonos speakers.
Incidentally, I’ve noticed of late I keep getting notifications from that netgear ‘network security’ app telling me it has blocked suspicious incoming from sonos. Not sure what the hay that’s about, but I don’t recall that happening at all before the May 7 watershed event.
Don’t know anything about Netgear Armor https://www.netgear.com/home/services/armor/ but it sounds very different.
If netgear is blocking stuff from Sonos you might capture the message and post it here so folks could give you an opinion on what it is blocking and what results you could expect from it.
Hi @chambolle and @Stanley_4, Netgear Armor is the very popular Bitdefender desktop malware package implemented in the Netgear router. Bitdefender includes internet browsing protection, so the notifications are likely related to the Sonos and third-party servers that were added with the new app in May 2024.
I doubt Netgear Armor is causing trouble, tho’ I could be more definitive with the actual wording of the notification(s).
As an aside, many contemporary Wi-Fi routers (from Netgear, Asus, and others) include this type of protection, so if it is causing trouble for @chambolle it is causing trouble for many other users.
Yeah; from what I’ve seen and read elsewhere, a hosted service somewhere (not sure now if it’s Plex, or Sonos-run) accesses the Plex server to obtain music data. Playback itself is local/NAT loopback but an external connection is required for the service to function. As soon as I start to browser the Plex collection, a ton of connections appear in my firewall states, and disappear when Sonos is closed out. Disabling port forwarding breaks the service.
The only workaround I’ve found so far is to use the Plex-hosted relay, which does seem to work pretty well most of the time, since playback itself is direct and not proxied. This alleviates the majority of my concerns (not wanting to leave Plex exposed in general), but would be still nice to lock things down more.
It’s going to depend what Plex are doing with the Sonos service, but from my limited understanding of the Sonos API I’d expect the requests would be coming from the Plex Cloud services. The controller requests the meta data, eg library contents, cover art urls, media urls via the Sonos API, then playback, art display uses the urls.
So
Sonos App → Sonos Cloud API → Plex Cloud → Your server (unless plex cache it) for meta data
The Plex documentation is a bit lacking in details, but under remote access troubleshooting they provide this link to get the current public source IPs of their AWS workers. Most of the Plex platform is on Amazon EKS, so the file gets updated automatically as they change.
https://s3-eu-west-1.amazonaws.com/plex-sidekiq-servers-list/sidekiqIPs.txt
It is going to be a pain to keep them up to date in your firewall unless you can automate updating your firewall when it changes. How big a pain depends how frequently they change.
If the sources you see being blocked aren’t from the IPs in that list, then maybe it’s undocumented Plex sources or maybe it’s Sonos. As Plex know how their integration works you’d probably need to try and extract the info from them 
