netcts.cdn-apple.com
-
has anyone else seen this address constantly getting connections I think it is a new DoH but it is running over http. I do not use private relay and or caching on the iMacs but it is constant. If you block it the searches for it stop also.
http://netcts.cdn-apple.com
Anyone else have any info outside of what chatGPT says it is? I think it is related to DoH.
-
@JonathanLee said in netcts.cdn-apple.com:
netcts.cdn-apple.com
I see my wife's phone doing queries for it - but nothing crazy like..
My phone isn't doing it, nor is the ipad..
;; ANSWER SECTION: netcts.cdn-apple.com. 30 IN CNAME netcts.cdn-apple.com.edgesuite.net. netcts.cdn-apple.com.edgesuite.net. 2402 IN CNAME a1744.dscw154.akamai.net. a1744.dscw154.akamai.net. 30 IN A 23.213.53.133 a1744.dscw154.akamai.net. 30 IN A 23.213.53.156I don't see any states open for it in pfsense state table. To either of those IPs.
I think its more of a check for apple like after ios 13 some sort of check for internet access maybe - if you load the page over http you just get "Success" back.. if it doesn't answer over https - it sure its doh..
If you load it via https - looks like the https cert being served is only valid for these domains
The certificate is only valid for the following names: a248.e.akamai.net, *.akamaized.net, *.akamaized-staging.net, *.akamaihd.net, *.akamaihd-staging.net
This site shows it listed as a captive portal check
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
I use to think it was for caching iMac updates as you can enable caching on the new iMacs. or it was for private relay. Again I have both services disabled.
per ChatGPT:
Reddit users and sysadmins have observed this domain being used by Apple devices, and it's harmless. One user noted: “These URLs were tried to be resolved via the private relay… including netcts.cdn-apple.com. So it seems… hard routed through the private relay by apple.” reddit.com And networking experts confirm it was introduced post‑iOS 13, where flaky server responses to it could trigger Wi‑Fi anomaly alerts in iOS"I have private relay disabled. I blocked it no change on anything but I am seeing more resolved domain names now on the proxy that is the only reason I think it is DoH.
I was also reading that it is also related to some kind of captive portal detection. That was my first thought like you said.
So What Is netcts.cdn-apple.com Doing Then? It's part of Apple's CDN, used to serve content assets like Mail images, iCloud files, and Private Relay data. It is not part of the captive portal detection system, but… It can be requested soon after network connection, right around the same time the captive portal check runs. This timing can confuse firewalls or log analyzers into thinking it's part of the detection flow — but it's not used to determine portal status. -
@johnpoz I am glad you also noticed it, I see it a lot on my proxy I decided to block it and see what breaks but nothing changed so far. I also have the DNS manually set on the iMac, so it should not attempt to use DoH
