New Apple products on enterprise networks domain list
-
New update to splice domains for proxy use with squid for Apple Systems
Ref:
https://support.apple.com/en-us/101555create a text file and use it with advanced config
acl NoBumpDNS dstdomain "/usr/local/pkg/dns.nobump" ssl_bump splice NoBumpDNSHere is the file you would make on your firewall mine is under path /usr/local/pkg/dns.nobump
I asked Apple support to update this list that have per the referenced website above I have consolidated them down to a simple DNS file.
.albert.apple.com .gs.apple.com .humb.apple.com .static.ips.apple.com .sq-device.apple.com .tbsc.apple.com .push.apple.com .deviceenrollment.apple.com .deviceservices-external.apple.com .gdmf.apple.com .identity.apple.com .icloud.com .icloud.apple.com .appldnld.apple.com .configuration.apple.com .gg.apple.com .ig.apple.com .mesu.apple.com .itunes.apple.com .oscdn.apple.com .osrecovery.apple.com .skl.apple.com .swcdn.apple.com .swdist.apple.com .swdownload.apple.com .swscan.apple.com .cdn-apple.com .xp.apple.com .apps.apple.com .mzstatic.com .ppq.apple.com .apple-cloudkit.com .appattest.apple.com .apps-marketplace.apple.com .token.safebrowsing.apple .audiocontentdownload.apple.com .devimages-cdn.apple.com .download.developer.apple.com .playgrounds-assets-cdn.apple.com .playgrounds-cdn.apple.com .sylvan.apple.com .appldnld.apple.com.edgesuite.net .itunes.com .lcdn-registration.apple.com .suconfig.apple.com .xp-cdn.apple.com .lcdn-locator.apple.com .serverstatus.apple.com .bpapi.apple.com .cssubmissions.apple.com .fba.apple.com .diagassets.apple.com .certs.apple.com .crl.apple.com .entrust.net .digicert.com .ocsp.apple.com .ocsp2.apple.com .valid.apple.com .appleid.apple.com .idmsa.apple.com .gsa.apple.com .apple-livephotoskit.com .apzones.com .gc.apple.com .icloud-content.com .iwork.apple.com .guzzoni.apple.com .smoot.apple.com .app-site-association.networking.apple.com .pos-device.apple.com .phonesubmissions.apple.com .smp-device-content.apple.com .idv-prod1.apple.com #Others .sequoia.apple.com .ess.apple.com .wps.apple.com .tv.apple.com .music.apple.com -
I wish we had a database we could just click "use Apple base"
-
@JonathanLee But what about your mitm is the future point of view? ;)
-
@johnpoz well you can’t bump everything, you can try but some stuff you need to splice and mark trusted like any good ACL list right?
I hope it has both a radio button for Apple and smartphone base items in the future updating them by hand takes time. -
The domain list was updated in May, I asked why pancake.apple.com was missing please update the list, Apple updated the website but didn’t mention pancake.apple.com as required. Again they did update it only about 4 domains were changed.
-
@JonathanLee said in New Apple products on enterprise networks domain list:
well you can’t bump everything
And there you go - which is why its never going to be clicky clicky for a user ;) And to be honest it shouldn't be - while I agree it can be handy to do mitm for some aspects of security or connectivity issues - I kind of miss where everthing was in the clear other than your login.. Much easier to troubleshoot issue, etc..
But ssl/tls is meant to be end to end - any sort of mitm compromises that agreement.
-
@johnpoz it all needs a healthy balance. The stuff you trust, security, and rules for stuff you don't trust. I really agree it's a nightmare to configure and keep going.
That splice all works perfect plus it is simple and easy for the everyday user to set up, it sees the headers and you can stop the URLs you want to with it easily.
-
@JonathanLee and is that going to work when esni or now called ech takes off?
-
@johnpoz tls1.3 is going to wreak havoc alongside https3 with dns over https3… lots of new code will be needed
-
@JonathanLee tls 1.3 has been used for quite some time.. Any time I bother to look at the connection to pretty much anything its tls 1.3.. This connection to the forums is using tls 1.3
ensi is dead but long live ech, that could be problematic I would bet..
But again I don't do any sort of mitm, its not good practice - I want my ssl/tls to be end to end.. As the internet gods intended it to be ;)
I have no need or desire to run a proxy.. If I want to block someting I would filter on IP or DNS.. Yes I block the bane of filtering doh and dot.
I run a reverse proxy, but not as a filtering method or as a way to do mitm.. But as a way to offload the ssl connection because the actual services have no ssl support at all, or are a pain to setup. These connections are tls 1.3.. And I don't even allow 1.2, if your not using 1.3 then your not accessing it. And use strict sni - so if you don't send the valid sni your not being proxied in either. This keeps rando port scanners from being able to actually get to the sites interface.
And I block most of the known scanners from talking to any of my forwards anyway, and only allow access into my forwards if your coming from US IP, etc.