Blocking iCloud Private Relay

Started by Clete2, January 07, 2025, 06:23:19 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 07, 2025, 06:23:19 PM
As discussed here and in Apple's support documentation, I've blocked mask.icloud.com and mask-h2.icloud.com in Unbound by putting the following content into an Unbound config file:

Code Select
root@OPNsense:~ # cat /usr/local/etc/unbound.opnsense.d/blockprivaterelay.conf
server:
    local-zone: "use-application-dns.net" always_nxdomain
    local-zone: "mask.icloud.com" always_nxdomain
    local-zone: "mask-h2.icloud.com" always_nxdomain

I can confirm that DNS queries to my Unbound server on both IPv4 and IPv6 return NXDOMAIN for both domains (as well as the Firefox DOH domain in the second line of the file).

However, my observation is that iCloud Private Relay keeps turning itself on and off throughout the day. It seems like for 30 minutes or so, it is on, and then another 30 it is off. All my devices: iPads, iPhones, MacBook Pro, are flipping on and off. I validated that my DNS on all devices is solely pointing to the 2 IPs for Unbound (1 for v4 and 1 for v6).

I have also looked at Reporting -> Unbound DNS -> Details and I see the DNS server always responding with NXDOMAIN for these domains.

Finally, I have manually turned off iCloud Private Relay for my WiFi network on the devices by following these instructions from Apple.

Why is my iCloud Private Relay randomly toggling on and off? Is there something wrong with my setup?
January 07, 2025, 09:28:12 PM #1
I think I fixed it. I blocked "mask-api.icloud.com" earlier today and have not seen the popup recently.

Found that domain on this website: https://support.apple.com/en-us/101555

PS I moved all blocks into the main Unbound blacklist UI, instead of in a custom config file. Apple was pretty specific that you should use "no such domain" replies but it seems giving a quad 0 reply works as well.
January 07, 2025, 11:24:12 PM #2
If you moved the blocks what are you IPv6 and IPv4 responses for those names?  is it NXDOMAIN or 0.0.0.0 or ::?

I've been using:

server:
    local-zone: "doh.dns.apple.com." always_nxdomain
    local-zone: "use-application-dns.net." always_nxdomain
    local-zone: "mask.icloud.com." always_nxdomain
    local-zone: "mask-h2.icloud.com." always_nxdomain
    local-zone: "mask-api.icloud.com." always_nxdomain

Idle battery drain seems to be high on iphone and ipad.  I can verify with dig that I do get NXDOMAIN for these domains for clients on my network.

When you say the blacklist UI, are you saying you put them in the field "Services: Unbound DNS: Blocklist: Blocklist Domains"?
January 08, 2025, 02:06:07 AM #3
I thought about blocking Apple DOH as well but I wanted to block as little as possible, since my goal is to use Unbound to block ads and not necessarily to block iCloud. In fact I wish I could use private relay with my own DNS server, that would be ideal.

Yes, that's the UI path I put the domains in.

Querying for AAAA gives no reply rather than ::. I'm no DNS expert but I think that is called "no error"
Print
Go Up Pages1
User actions