iCloud Private Relay
-
So I want to disable iCloud Private Relay on my entire network, but also have it inform the user. I have tried blocking the following domain names with a pfBlocker custom DNSBL group, but client devices are still able to use it.
I have tried adding these to my Unbound custom options and this doesn’t seem to make any difference:
local-zone: "mask.icloud.com" always_nxdomain
local-zone: "mask-h2.icloud.com" always_nxdomainNote that I am running pfSense+ 23.05 with the Unbound resolver going up to Cloudflare (no DNS forwarder). What is the best way for me to force an NXDOMAIN response as per Apple’s docs below?
“The fastest and most reliable way to alert users is to return either a "no error no answer" response or an NXDOMAIN response from your network’s DNS resolver, preventing DNS resolution for the following hostnames used by Private Relay traffic. Avoid causing DNS resolution timeouts or silently dropping IP packets sent to the Private Relay server, as this can lead to delays on client devices.”
mask.icloud.com
mask-h2.icloud.com -
I have also tried this with little success:
-
Update: it works some of the time, but it’s certainly not consistent. When it does work, it does take a while before the message pops up on the end-user device. Until that happens, iCloud Private Relay still works.
-
Have you tried Squidguard that might help
-
@DefenderLLC I think you’re missing the trailing period:
local-zone: "mask.icloud.com." always_nxdomain
https://jpgpi250.github.io/piholemanual/doc/Block%20DOH%20with%20pfsense.pdf#page14
-
@SteveITS said in iCloud Private Relay:
@DefenderLLC I think you’re missing the trailing period:
local-zone: "mask.icloud.com." always_nxdomain
https://jpgpi250.github.io/piholemanual/doc/Block%20DOH%20with%20pfsense.pdf#page14
I actually had it in there originally. Apparently it just takes awhile for the device to recognize that iCloud private relay is no longer available. I ended up going down the pfBlocker path since it has so many other predefined options for blocking DoH and DoT services. Thanks.