Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    New Apple products on enterprise networks domain list

    Scheduled Pinned Locked Moved Cache/Proxy
    databasesquidproxyspliceenterprise
    10 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JonathanLeeJ
      JonathanLee
      last edited by

      New update to splice domains for proxy use with squid for Apple Systems

      Ref:
      https://support.apple.com/en-us/101555

      create a text file and use it with advanced config

      acl NoBumpDNS dstdomain "/usr/local/pkg/dns.nobump"
      ssl_bump splice NoBumpDNS
      
      

      Here is the file you would make on your firewall mine is under path /usr/local/pkg/dns.nobump

      I asked Apple support to update this list that have per the referenced website above I have consolidated them down to a simple DNS file.

      .albert.apple.com
      .gs.apple.com
      .humb.apple.com
      .static.ips.apple.com
      .sq-device.apple.com
      .tbsc.apple.com
      .push.apple.com
      .deviceenrollment.apple.com
      .deviceservices-external.apple.com
      .gdmf.apple.com
      .identity.apple.com
      .icloud.com
      .icloud.apple.com
      .appldnld.apple.com
      .configuration.apple.com
      .gg.apple.com
      .ig.apple.com
      .mesu.apple.com
      .itunes.apple.com
      .oscdn.apple.com
      .osrecovery.apple.com
      .skl.apple.com
      .swcdn.apple.com
      .swdist.apple.com
      .swdownload.apple.com
      .swscan.apple.com
      .cdn-apple.com
      .xp.apple.com
      .apps.apple.com
      .mzstatic.com
      .ppq.apple.com
      .apple-cloudkit.com
      .appattest.apple.com
      .apps-marketplace.apple.com
      .token.safebrowsing.apple
      .audiocontentdownload.apple.com
      .devimages-cdn.apple.com
      .download.developer.apple.com
      .playgrounds-assets-cdn.apple.com
      .playgrounds-cdn.apple.com
      .sylvan.apple.com
      .appldnld.apple.com.edgesuite.net
      .itunes.com
      .lcdn-registration.apple.com
      .suconfig.apple.com
      .xp-cdn.apple.com
      .lcdn-locator.apple.com
      .serverstatus.apple.com
      .bpapi.apple.com
      .cssubmissions.apple.com
      .fba.apple.com
      .diagassets.apple.com
      .certs.apple.com
      .crl.apple.com
      .entrust.net
      .digicert.com
      .ocsp.apple.com
      .ocsp2.apple.com
      .valid.apple.com
      .appleid.apple.com
      .idmsa.apple.com
      .gsa.apple.com
      .apple-livephotoskit.com
      .apzones.com
      .gc.apple.com
      .icloud-content.com
      .iwork.apple.com
      .guzzoni.apple.com
      .smoot.apple.com
      .app-site-association.networking.apple.com
      .pos-device.apple.com
      .phonesubmissions.apple.com
      .smp-device-content.apple.com
      .idv-prod1.apple.com
      
      #Others
      .sequoia.apple.com
      .ess.apple.com
      .wps.apple.com
      .tv.apple.com
      .music.apple.com
      
      

      Make sure to upvote

      1 Reply Last reply Reply Quote 0
      • JonathanLeeJ
        JonathanLee
        last edited by

        I wish we had a database we could just click "use Apple base"

        Make sure to upvote

        johnpozJ 1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @JonathanLee
          last edited by

          @JonathanLee But what about your mitm is the future point of view? ;)

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          JonathanLeeJ 1 Reply Last reply Reply Quote 0
          • JonathanLeeJ
            JonathanLee @johnpoz
            last edited by JonathanLee

            @johnpoz well you can’t bump everything, you can try but some stuff you need to splice and mark trusted like any good ACL list right? 😄 I hope it has both a radio button for Apple and smartphone base items in the future updating them by hand takes time.

            Make sure to upvote

            johnpozJ 1 Reply Last reply Reply Quote 0
            • JonathanLeeJ
              JonathanLee
              last edited by

              The domain list was updated in May, I asked why pancake.apple.com was missing please update the list, Apple updated the website but didn’t mention pancake.apple.com as required. Again they did update it only about 4 domains were changed.

              Make sure to upvote

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @JonathanLee
                last edited by

                @JonathanLee said in New Apple products on enterprise networks domain list:

                well you can’t bump everything

                And there you go - which is why its never going to be clicky clicky for a user ;) And to be honest it shouldn't be - while I agree it can be handy to do mitm for some aspects of security or connectivity issues - I kind of miss where everthing was in the clear other than your login.. Much easier to troubleshoot issue, etc..

                But ssl/tls is meant to be end to end - any sort of mitm compromises that agreement.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                JonathanLeeJ 1 Reply Last reply Reply Quote 0
                • JonathanLeeJ
                  JonathanLee @johnpoz
                  last edited by

                  @johnpoz it all needs a healthy balance. The stuff you trust, security, and rules for stuff you don't trust. I really agree it's a nightmare to configure and keep going.

                  That splice all works perfect plus it is simple and easy for the everyday user to set up, it sees the headers and you can stop the URLs you want to with it easily.

                  Make sure to upvote

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @JonathanLee
                    last edited by

                    @JonathanLee and is that going to work when esni or now called ech takes off?

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                    JonathanLeeJ 1 Reply Last reply Reply Quote 0
                    • JonathanLeeJ
                      JonathanLee @johnpoz
                      last edited by

                      @johnpoz tls1.3 is going to wreak havoc alongside https3 with dns over https3… lots of new code will be needed

                      Make sure to upvote

                      johnpozJ 1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator @JonathanLee
                        last edited by

                        @JonathanLee tls 1.3 has been used for quite some time.. Any time I bother to look at the connection to pretty much anything its tls 1.3.. This connection to the forums is using tls 1.3

                        ensi is dead but long live ech, that could be problematic I would bet..

                        But again I don't do any sort of mitm, its not good practice - I want my ssl/tls to be end to end.. As the internet gods intended it to be ;)

                        I have no need or desire to run a proxy.. If I want to block someting I would filter on IP or DNS.. Yes I block the bane of filtering doh and dot.

                        I run a reverse proxy, but not as a filtering method or as a way to do mitm.. But as a way to offload the ssl connection because the actual services have no ssl support at all, or are a pain to setup. These connections are tls 1.3.. And I don't even allow 1.2, if your not using 1.3 then your not accessing it. And use strict sni - so if you don't send the valid sni your not being proxied in either. This keeps rando port scanners from being able to actually get to the sites interface.

                        And I block most of the known scanners from talking to any of my forwards anyway, and only allow access into my forwards if your coming from US IP, etc.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                        1 Reply Last reply Reply Quote 2
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.