Hi, I have an application that creates an encrypted DNS configuration (#wwdc20-10047) which redirects DNS queries for a specific domain to my DNSOverHTTPS server system wide using NEEvaluateConnectionRule(matchDomains: ...). I was wondering how that would get affected by a user enabling Private Relay. An excerpt from "Get ready for iCloud Private Relay": Similarly, if your app provides a network extension to add VPN or app-proxying capabilities, your extension won't use Private Relay and neither will app traffic that uses your extension. Does it mean that both DNS and HTTPS traffic matching my domain(s) will not use Private Relay system wide? In my use-case, my domain can be resolved while browsing web (using Safari, Chrome, etc.) as well as in other apps. Thank you!

Hi, I have read the document private relay apply only for safari browser. if I am using http call in my app then private relay will apply or not. Thanks,

I noticed that when I'm running an app with an active Network Extension in macOS Monterey (21A5268h), changing the Private Relay state to on or off disrupts internet connectivity. The WiFi menubar icon eventually turns into an exclamation-mark. The only workaround I found is to turn the filter off or to delete it. If the filter is turned on again, Internet connectivity is lost. I've tested this with a pass-through NEFilterDataProvider-based NetworkExtension filter app, but also see this behavior with other network filtering apps such as TripMode which is on the Mac App Store. Is this a bug? I've filed a report (FB9283392) and attached a sample project to it.

Hello there, HTTP header enrichment is key to our app, is there a way for an app to send an HTTP request that bypasses Private Relay so it could be enriched for SIM authentication over mobile network?

Hello all, I was wondering if there was a way to have Private Relay resolve DNS queries with the network-provided DNS server instead of the current DNS server Private Relay uses. We are fine with traffic being hidden but would only like to see DNS queries send by clients in order to log and block malicious domains. What actions would we need to take on our network to block the Private Relay DNS server in order to make requests go to the network-provided DNS server? Thanks, Ironbolt89

I found an IP address being used that was not on the list. https://mask-api.icloud.com/egress-ip-ranges.csv Like this：172.225.46.223 Is the list going to be updated? How often is it updated? Do you plan to inform the public when it is updated?

The document and video session mentioned that: Private Relay protects：users' web browsing in Safari / DNS resolution queries /.. Not applicable traffic：Local network connections / Private domains /.. What's the meaning of these above? for example, if I use chrome browser and it has DNS resolution queries, will use Private Relay? or Only in Safari? Local network connections? If my iPhone connect to the Wi-Fi? What's Private domains? Thanks,

I subscribed to apple one (family) recently. With my iPhone and Mac both updated to IOS15 and MacOs12. I want to try iCloud private relay. However it seems like I need to subscribe to iCloud+ individually to use iCloud private relay. So, did Apple one (family) include iCloud+ Private relay?

I have read the Prepare your Network for iCloud Private Relay. In that I have two queries, We use IP address to limit usage of our app to prevent fraudulent. The video says that more than one user in a city uses the same IP address, so there will be more network calls from same IP. How do I adapt private relay to achieve this case? We show to the user that from which IP address his details are created or updated. Since the IP we get from the Egress proxy is modified, we cannot show the correct IP to the user from which his details are created or updated. And how to solve this after adapting iCloud Private Relay? And also I like to know how broader the IP will be modified from the users' location? I cannot find any document regarding this.

After upgrading to iCloud +, is the default Private Relay feature turned on or off by default?

Hi there, Does anyone know if existing App Transport Security Settings -> Exception Domains will still work after Private Relay enabled? Which means excepted domain still can use http without going through apple proxy? Thanks Tao

I have a VPN app that uses a tunnel to route traffic, and I'm finding that port 80 traffic cannot be routed when Private Relay is enabled. Oddly, it's just port 80 traffic. HTTP traffic over 8080 or other ports still work fine. Specifically, connecting the socket using the connect() function for a port 80 address always returns the same error "No route to host". According to the Packet Tunnel Provider documentation (https://developer.apple.com/documentation/networkextension/packet_tunnel_provider?language=objc): When a VPN configuration is active, connections use the VPN instead of iCloud Private Relay. Network Extension providers also don’t use iCloud Private Relay. This is not the behavior that we are seeing. As soon as I disable Private Relay on the device, the port 80 traffic flows correctly and there's no more errors. We already tried excluding the Private Relay servers from the tunnel, but that didn't have any impact on this issue. Is there anything else we could try to work around this? So far we've tested with iOS 15 beta versions through beta 4. Also tested on developer versions as well as public beta.

Hello there, I would like to know if my users have Private Relay set up. Can I refer to the configuration status of Private Relay from the application or the web?

I formatted the phone and I did not have a backup in icloud Can apple restore the files that were on the phone before the phone was formatted??

Source: https://developer.apple.com/support/prepare-your-network-for-icloud-private-relay/ Returning NXDOMAIN for the following two hostnames on 15.0 (19A5318f) results in the inability to resolve any hosts with iCloud Private Relay enabled without alerting the user that they need to disable iCloud Private Relay to continue. All resolution just silently fails, other than those cached in the stub resolver. mask.icloud.com mask-h2.icloud.com Is there a missing host on the list to block, or is this not working correctly yet?

When reading how to prepare network for iCloud Private Relay, I can see: "Private Relay protects users’ web browsing in Safari, DNS resolution queries, and insecure http app traffic." "iCloud Private Relay uses QUIC" But QUIC (HTTP/3) is experimental in Safari 15. Why?

There may occur some problems if there are bad users with Private Relay enabled, who visit websites hosted by my servers. My servers are using Fail2ban to ban bad users by their IP-addresses (e. g. ModSecurity blocks hacking attempts -> Fail2ban will block that IP). Now, the list (https://mask-api.icloud.com/egress-ip-ranges.csv) is way too big to whitelist all IP-addresses. How should I handle this in Fail2ban?

Does anyone know why it is impossible to enable/test Private Relay even with an Apple One Premier subscription? Wouldn't it make sense that during the macOS Beta all users would be able to turn in on? This feature looks good on paper but the barrier to testing makes no sense. Any help greatly appreciated.