iCloud Private Relay

DefenderLLC · May 27, 2023, 9:06 PM

So I want to disable iCloud Private Relay on my entire network, but also have it inform the user. I have tried blocking the following domain names with a pfBlocker custom DNSBL group, but client devices are still able to use it.

I have tried adding these to my Unbound custom options and this doesn’t seem to make any difference:

local-zone: "mask.icloud.com" always_nxdomain
local-zone: "mask-h2.icloud.com" always_nxdomain

Note that I am running pfSense+ 23.05 with the Unbound resolver going up to Cloudflare (no DNS forwarder). What is the best way for me to force an NXDOMAIN response as per Apple’s docs below?

“The fastest and most reliable way to alert users is to return either a "no error no answer" response or an NXDOMAIN response from your network’s DNS resolver, preventing DNS resolution for the following hostnames used by Private Relay traffic. Avoid causing DNS resolution timeouts or silently dropping IP packets sent to the Private Relay server, as this can lead to delays on client devices.”

mask.icloud.com
mask-h2.icloud.com

DefenderLLC · May 27, 2023, 9:36 PM

I have also tried this with little success:

login-to-view

DefenderLLC · May 27, 2023, 9:37 PM

Update: it works some of the time, but it’s certainly not consistent. When it does work, it does take a while before the message pops up on the end-user device. Until that happens, iCloud Private Relay still works.

JonathanLee · May 28, 2023, 4:56 AM

Have you tried Squidguard that might help

SteveITS · May 28, 2023, 6:04 AM

@DefenderLLC I think you’re missing the trailing period:

local-zone: "mask.icloud.com." always_nxdomain

https://jpgpi250.github.io/piholemanual/doc/Block%20DOH%20with%20pfsense.pdf#page14

DefenderLLC · May 28, 2023, 1:50 PM

@SteveITS said in iCloud Private Relay:

@DefenderLLC I think you’re missing the trailing period:

local-zone: "mask.icloud.com." always_nxdomain

https://jpgpi250.github.io/piholemanual/doc/Block%20DOH%20with%20pfsense.pdf#page14

I actually had it in there originally. Apparently it just takes awhile for the device to recognize that iCloud private relay is no longer available. I ended up going down the pfBlocker path since it has so many other predefined options for blocking DoH and DoT services. Thanks.

michmoor · Mar 11, 2025, 7:28 PM

@DefenderLLC old post but just curious. did you ever get this to work. My situation is that I block the domains for private relay, safari browser complains but cant access any website.

DefenderLLC · Mar 18, 2025, 3:15 PM

@michmoor Hey man, good to hear from you. It's been nearly 2 years, but I think what I ended up doing back then was simply disabling that feature on our SSID settings on each device. I am still doing that today along with my current firewall. iCloud Private Relay does not play nicely with Control D (DNS), so we just disabled it altogether.

michmoor · Mar 18, 2025, 4:45 PM

@DefenderLLC said in iCloud Private Relay:

disabling that feature on our SSID

Hey !! Hope all is well my friend.
What feature did you disable? For reference i have Unifi gear.

DefenderLLC · Mar 18, 2025, 6:15 PM

@michmoor said in iCloud Private Relay:

@DefenderLLC said in iCloud Private Relay:

disabling that feature on our SSID

Hey !! Hope all is well my friend.
What feature did you disable? For reference i have Unifi gear.

On all of my Apple devices, I just turned off the "Limit IP Address Tracking" feature which is iCloud Private Relay. This setting is located in the Wi-Fi settings for each individual SSID, or you can just simply disable it entirely from your iCloud settings (which is account-wide). IPR always breaks my EFG's SSL decryption/inspection, so I no longer use IPR on my SSIDs.

michmoor · Mar 18, 2025, 6:09 PM

@DefenderLLC Ahh i misunderstood. Ok cool. IPR is a pain when im trying to do filtering on applied clients.
How is the EFG working out?

DefenderLLC · Mar 18, 2025, 6:19 PM

@michmoor said in iCloud Private Relay:

@DefenderLLC Ahh i misunderstood. Ok cool. IPR is a pain when im trying to do filtering on applied clients.
How is the EFG working out?

It's been great and I love being able to do IDS/IPS on the encrypted traffic with their optional CyberSecure Enterprise subscription (which is really Proofpoint's ET Pro @ $499/yr. under the hood) - EXCEPT - for this little PBR limitation which you can see the full story here:

https://community.ui.com/questions/EFG-Policy-Based-Routing-with-NeXT-AI-Enabled-Still-Broken/1401d094-4030-49b7-b711-d8e6cbf08f03#answer/1a8425e9-ef10-47ee-b186-904c0713b65d.

michmoor · Mar 18, 2025, 9:53 PM

@DefenderLLC Pretty scathing (i think so) indictment of Next AI you wrote
I will add that although its frustrating when a feature doesn't get implemented or implemented correctly, the grass isn't greener on this side of the garden either. Im dealing with unresolved but acknowledged issues.

DefenderLLC · Mar 18, 2025, 10:15 PM

@michmoor I’m starting to regret selling you my 6100 MAX! I may order another Netgate appliance in the future, but all in all, I’ve been pretty happy with the EFG. I swapped out the 16 GB with a 64 GB ECC module. If they did anything right designing this unit, it was their choice of ARM-based CPU with 18 cores. It screams.

michmoor · Mar 18, 2025, 10:46 PM

@DefenderLLC said in iCloud Private Relay:

I’m starting to regret selling you my 6100 MAX!

lol. Interesting you say that because i have been eying at the very least a UDM Pro.
Im just to comfortable with my pfsense but i would love some better app control.
Would love to read a blog post from you about the pros vs cons of the EFG especially compared to a high end Netgate appliance like the 6100. You've got considerable play time with it.

DefenderLLC · Mar 18, 2025, 10:59 PM

@michmoor I still have that UDM SE that I’m no longer using if you’re interested in purchasing it. I even have a brand new 8TB replacement HDD coming for it. I moved all of my Protect cameras to a UNVR Pro and installed Talk on the EFG (not supported, but it works fine), so it’s just sitting in the rack doing nothing. Text me!

I’m out of rack space (again). UDM SE is just under the EFG.

login-to-view

michmoor · Mar 18, 2025, 11:21 PM

@DefenderLLC

You're trying to get me again.......lol
let me think about this.
The biggest hurdle is converting these firewall rules. Thats a weekend task. Bad enough i have to do firewall migrations for my job but do it at home as well?

DefenderLLC · Mar 18, 2025, 11:41 PM

@michmoor said in iCloud Private Relay:

@DefenderLLC

You're trying to get me again.......lol
let me think about this.
The biggest hurdle is converting these firewall rules. Thats a weekend task. Bad enough i have to do firewall migrations for my job but do it at home as well?

I like to use pfSense and UniFi together. In fact, that’s the way I ran it for over two years. They introduced zone based firewall rules now, so things are much more granular than they ever used to be. I guarantee you it wouldn’t take you more than a day.