Api.snapcraft.io added to block-list

dwd-daniel · December 1, 2025, 10:21am

Good morning,

If you wonder why you can’t reach api.snapcraft.io to install/ refresh snaps, it may be because it has been added to one or more block-list:

$ curl -sL 'https://v.firebog.net/hosts/RPiList-Phishing.txt' | 
  grep -ni api.snapcraft.io 

122171:||api.snapcraft.io^

I’ve mentioned this on the snapcraft discourse.

Best regards

Daniel

paddylandau · December 2, 2025, 3:13pm

Thank you, Daniel, but I don’t understand what it means?

I’ve found that I cannot access snap when I am on IPv6, but I can access it when on IPv4. This has been going on for a couple of weeks already.

Bug #1710022, marked as fixed.
Discussion on Discourse.
Snapcraft report.

Is this related?

When I run your command, I get this result whether I’m using IPv6 or IPv4:

122656:||api.snapcraft.io^

ogra · December 2, 2025, 3:19pm

The firebog lists are used by PiHole, are you running a PiHole instance in your network to block ads and whatnot?

I highly doubt they would affect only one IP protocol version though but rather block DNS lookup as a whole…

(Well, you could also run firebog standalone (which is less common than using it via PiHole), but I’d guess you’d know if you had put such a thing in place)

dwd-daniel · December 2, 2025, 3:20pm

Hi Paddy
A number of people including myself use DNS blocklists with our DNS resolvers (I use adguard-home). This means that if our devices attempt to perform a DNS lookup on a malicious or spam domain, that request will result in failure and whatever tried to reach that domain will be unable to.

api.snapcraft.io has been added to one such blocklist, due to there being a large number of malicious snaps on the store at this time. See: Report of fake crypto wallet (Exodus) snap(s) - #8 by Ares_ekb - store - snapcraft.io

The command I supplied, that you ran, downloads the blocklist in question and searches for api.snapcraft.io within the list - and as you can see it’s on the list (for now).

This is unrelated to the subject matter of the three URLs you provided.

paddylandau · December 2, 2025, 3:41pm

Thanks for the explanation, Daniel.

On my IPv6, I use a DNS (joindns4). On my IPv4, I don’t use one. I also used the hotspot from my phone, both with and without the DNS. So, it’s interesting that all three of them give the same result to your query — do I have to restart my computer to clear the cache, perhaps?

ogra · December 2, 2025, 3:48pm

The curl -sL just downloads the text file (via IPv4) and the grep -ni simply greps for the hostname and prints it with the line number prefixed … There are no caches involved and everyone will get the very same result as you, I think daniel just wanted to point out that api.snapcraft.io is in that list, the command does not prove anything more …

The list could only affect you if you use any tool that consumes it (like PiHole)

dwd-daniel · December 2, 2025, 3:55pm

@Ogra hit the nail on the head. The curl query is unrelated to your problem. My post was to make other users aware of the domain being added to the block-list.

To investigate whether something is dropping the DNS records, you can run

host api.snapcraft.io

or

host api.snapcraft.io 86.54.11.1

Where 86.54.11.1 is the IP address of the DNS server you wish to test.

For me, doing so yielded:

Using domain server:
Name: 86.54.11.1
Address: 86.54.11.1#53
Aliases: 

api.snapcraft.io has address 185.125.188.59
api.snapcraft.io has address 185.125.188.54
api.snapcraft.io has address 185.125.188.57
api.snapcraft.io has address 185.125.188.58
api.snapcraft.io has IPv6 address 2620:2d:4000:1010::117
api.snapcraft.io has IPv6 address 2620:2d:4000:1010::2cc
api.snapcraft.io has IPv6 address 2620:2d:4000:1010::2d6
api.snapcraft.io has IPv6 address 2620:2d:4000:1010::42

You can see the IPv4 and IPv6 addresses that were returned.
If the domain was on a blocklist, such as with mobile.pipe.aria.microsoft.com, you might see something like this:

mobile.pipe.aria.microsoft.com has address 0.0.0.0
mobile.pipe.aria.microsoft.com has IPv6 address ::

ogra · December 2, 2025, 4:00pm

For checking if you can resolve through IPv6 you might want to use the -6 switch of the host command…

It will send DNS queries only via IPv6 (there is also a -4 option that limits it to v4)

paddylandau · December 2, 2025, 4:22pm

@ogra and @dwd-daniel — Thank you, I understand now!

I get the following on my laptop, which doesn’t use a private DNS:

$ host -6 api.snapcraft.io
;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
;; no servers could be reached

$ host -4 api.snapcraft.io
api.snapcraft.io has address 185.125.188.59
api.snapcraft.io has address 185.125.188.57
api.snapcraft.io has address 185.125.188.58
api.snapcraft.io has address 185.125.188.54
api.snapcraft.io has IPv6 address 2620:2d:4000:1010::117
api.snapcraft.io has IPv6 address 2620:2d:4000:1010::2cc
api.snapcraft.io has IPv6 address 2620:2d:4000:1010::2d6
api.snapcraft.io has IPv6 address 2620:2d:4000:1010::42

dwd-daniel · December 2, 2025, 4:26pm

So that means you cannot communicate with your DNS server on IPv6, but you can on IPv4. Perhaps the DNS server isn’t configured to have an IPv6 address itself, or perhaps your router or ISP doesn’t support IPv6.

When you do connect to the DNS server on IPv4, it tells you there are four IPv4 addresses for api.snapcraft.io, and there are four IPv6 addresses for api.snapcraft.io.