Messages

I thought about blocking Apple DOH as well but I wanted to block as little as possible, since my goal is to use Unbound to block ads and not necessarily to block iCloud. In fact I wish I could use private relay with my own DNS server, that would be ideal.

Yes, that's the UI path I put the domains in.

Querying for AAAA gives no reply rather than ::. I'm no DNS expert but I think that is called "no error"

I think I fixed it. I blocked "mask-api.icloud.com" earlier today and have not seen the popup recently.

Found that domain on this website: https://support.apple.com/en-us/101555

PS I moved all blocks into the main Unbound blacklist UI, instead of in a custom config file. Apple was pretty specific that you should use "no such domain" replies but it seems giving a quad 0 reply works as well.

As discussed here and in Apple's support documentation, I've blocked mask.icloud.com and mask-h2.icloud.com in Unbound by putting the following content into an Unbound config file:

Code Select Expand

root@OPNsense:~ # cat /usr/local/etc/unbound.opnsense.d/blockprivaterelay.conf
server:
    local-zone: "use-application-dns.net" always_nxdomain
    local-zone: "mask.icloud.com" always_nxdomain
    local-zone: "mask-h2.icloud.com" always_nxdomain

I can confirm that DNS queries to my Unbound server on both IPv4 and IPv6 return NXDOMAIN for both domains (as well as the Firefox DOH domain in the second line of the file).

However, my observation is that iCloud Private Relay keeps turning itself on and off throughout the day. It seems like for 30 minutes or so, it is on, and then another 30 it is off. All my devices: iPads, iPhones, MacBook Pro, are flipping on and off. I validated that my DNS on all devices is solely pointing to the 2 IPs for Unbound (1 for v4 and 1 for v6).

I have also looked at Reporting -> Unbound DNS -> Details and I see the DNS server always responding with NXDOMAIN for these domains.

Finally, I have manually turned off iCloud Private Relay for my WiFi network on the devices by following these instructions from Apple.

Why is my iCloud Private Relay randomly toggling on and off? Is there something wrong with my setup?

Is there a command I can run to validate?

Sorry for so many posts. I finally resolved the issue!

www.routerperformance.net does not have any AAAA records. I had accidentally turned on "Enable DNS64 Support" to synthesize quad A records for use in NAT64. I don't use NAT64 and never configured it, so the lack of AAAA records caused this site to be unreachable by OPNSense.

The simple fix: Disable DNS64 support on Unbound.

IPv6 DNS is working just fine from my laptop. IPv6 connectivity does as well. Even IPv6 DNS works on OPNSense, although I had to manually set it in the General settings.

IPv6 connectivity does not work when traffic is coming directly from OPNSense itself. Any hints would be appreciated, I have been searching up and down and unable to find anything.

Code Select Expand

root@OPNsense:~ # netstat -nr6 | grep default
default                           fe80::...<my upstream gateway>%igb0 UG        igb0


Works for me. Probably a problem with IPv6 connectivity and curl and fetch reacting differently on that. You can check by using -4 and -6 for fetch.

That's it. Fetch with -4 works flawlessly. Now to figure out why IPv6 DNS isn't working... Thank you!

I'm trying to install AdGuard home from routerperformance.net's repo. I found that the "fetch" command hangs on DNS resolution, or connection instantiation, for over a minute each time it is used. curl doesn't have the same issue, and returns almost immediately.

Fetch hangs on "Resolving server address:..." for over a minute, and then quickly gets through the rest:

Code Select Expand

root@OPNsense:~ # time fetch -v https://www.routerperformance.net/mimugmail-single.conf
resolving server address: www.routerperformance.net:443
SSL options: 82004850
Peer verification enabled
Using OpenSSL default CA cert file and path
Verify hostname
TLSv1.3 connection established using TLS_AES_256_GCM_SHA384
Certificate subject: /CN=routerperformance.net
Certificate issuer: /C=US/O=Let's Encrypt/CN=R11
requesting https://www.routerperformance.net/mimugmail-single.conf
local size / mtime: 114 / 1733986251
remote size / mtime: 114 / 1733986251
mimugmail-single.conf                                  114  B 2141 kBps    00s
0.028u 0.000s 1:15.52 0.0% 24+204k 0+0io 0pf+0w

Curl takes less than a second in total:

Code Select Expand

root@OPNsense:~ # time curl https://www.routerperformance.net/mimugmail-single.conf
mimugmail: {
  url: "https://opn-repo.routerperformance.net/repo-single/${ABI}",
  priority: 5,
  enabled: yes
}

0.013u 0.000s 0:00.61 1.6% 104+136k 0+0io 0pf+0w

This is causing my updates/system downloads to hang for a very long time. Why do these tools behave differently and what is causing fetch to be so slow?