Post not yet marked as solved
Hi,
We are implementing a flow where the end-user starts a
session in the Safari browser, switches to an app and then returns to the Safari browser. The whole process should take less than 30 seconds, but if iCloud
Private Relay is turned on, the IP address is changing in that short timeframe.
In this case from 104.28.45.4 to 104.28.45.5.
This does not seem to match with the description in: https://developer.apple.com/support/prepare-your-network-for-icloud-private-relay
“Additionally, the relay IP address will remain stable
during a browsing session from a device, to make sure you will see a consistent address while a user is interacting with your website.”
-Anders
Post not yet marked as solved
On iOS 15 beta (iOS 15 beta 6 & previous beta) with private relay enabled, my mobile app wipes out UserDefaults data which is causing sign in issues (both manual and biometric) after a day or so after signing in to the app and then backgrounding the app on iOS 15.
I've see some tweets where some banking apps appears to have a similar issue where their biometric token is getting wiped every few days when private relay is enabled. These app issues seem to only occur when private relay is enabled.
Ivor Carcamo 🏎💨 🚓 🏁 (@Ivor_Carcamo) Tweeted:
@isiosstable iOS 15 beta, very stable release. Only issues are with apps themselves. I think that private relay cause apps like Chase and Capital One to require sign in authentication repeatedly. Hopefully next beta resolves or the app developers update their apps.
https://twitter.com/Ivor_Carcamo/status/1417638377369833480?s=20
Any insight you could provide or help in narrowing our focus would be helpful and greatly appreciated as we’d like to resolve/mitigate this issue before the iOS 15 general audience release so our iOS mobile app users who upgrade to iOS 15 do not experience it.
Post not yet marked as solved
Source: https://developer.apple.com/support/prepare-your-network-for-icloud-private-relay/
Returning NXDOMAIN for the following two hostnames on 15.0 (19A5318f) results in the inability to resolve any hosts with iCloud Private Relay enabled without alerting the user that they need to disable iCloud Private Relay to continue.
All resolution just silently fails, other than those cached in the stub resolver.
mask.icloud.com
mask-h2.icloud.com
Is there a missing host on the list to block, or is this not working correctly yet?
Post not yet marked as solved
When reading how to prepare network for iCloud Private Relay, I can see:
"Private Relay protects users’ web browsing in Safari, DNS resolution queries, and insecure http app traffic."
"iCloud Private Relay uses QUIC"
But QUIC (HTTP/3) is experimental in Safari 15. Why?
Post not yet marked as solved
Worry about that Private relay address(Beta) have problems.
I created about 30 address and received many emails. Some address is connected with third party' s account, for example google, Yahoo, blog, shopping, payment app and so on.
When you use private relay address ONLY for receive informations from any service or products, this address work well and convenient in secure and protected your privacy.
But if you need to reply to incoming mail, Mail header send to the receiver all information which includes original Apple Id cloud address. Because Mail Header is designed so from the beginning of history of the internet.
If it happen to need any support of certain service by mail (even you use contact form on the web), you need to answer to the massage for going on. But you should not to reply by mail app, because private relay address system is not designed for such situations.
So when I receive support mail through private relay in secure and protected, I come back to the form on the web or Homepage to reply.
How this service will update in the future I will check. I hope to we can clear such cases well.
Post not yet marked as solved
Is there a rough idea of how often the egress-ip-ranges.csv will change so we can determine how often to update our list?
And what kind of growth can we expect? It seems to have grown by about 5 MB in the last couple of months. I'm wondering if that is due to it being new or if we should expect steady growth at that rate.
Hello all,
I'd like to understand if we have a mechanism for an app to understand if a user has activated iCloud Private Relay in iOS 15.
Private Relay introduces some unexpected behaviour in my application, and I'd like to prompt/warn users of this fact if and when they make the choice to activate this feature.
I understand if the device is supervised this feature can be controlled, but my app mainly runs in an unsupervised context so that is largely not useful for me.
Post not yet marked as solved
Hey all,
I've added my domain without issue and have been able to send/receive. The problem I'm experiencing is previous addresses I was testing with still appear in macOS Mail and also Mail on iOS.
The addresses shown no longer appear in iCloud Settings so I'm not sure where to go with this issue.
I'm doubtful normal Apple support would be helpful for this as it's more likely an iCloud issue directly.
Post not yet marked as solved
When i activate realy my internal dns domains not working, how to resolve?
Post not yet marked as solved
In my country (Tokyo, Japan), it seems like that
"Akamai Technologies, Inc.", "Cloudflare, Inc.", and "Fastly, Inc.",
are providing almost all the egress proxy for using Private Relay
(and these are estimated by whois information).
Also I was able to resolve the domain of Akamai's egress proxy with nslookup, such as:
a[ppp-qqq-rrr-sss].deploy.static.akamaitechnologies.com
/* [ppp-qqq-rrr-sss] means available ipv4 address of egress proxy */
but I couldn't resolve Cloudflare's and Fastly's, with NXDOMAIN error.
I want to know how and why has this difference occurred between Cloudflare, Fastly and Akamai, still it's one and the same service.
Because I found that some web services limit the use for accesses from Akami's Egress Proxy only,
thus I'm guessing that this difference (security settings?) is causing the inconvenience.
In addition, I would like to know if Apple is comfortable with the situation of egress proxy not in the DNS records.
And I hope that near the future either specification would be standardized or users would be able to choose them.
By the way, I might be often assigned the following IP addresses:
privateRelayIpsAtTokyo.csv
so now you can check it.
Post not yet marked as solved
Hi,
If I will update the DNS server to return a negative DNS response for the Private Relay domains ; would it force the device to fall back to the standard behavior so that the traffic can be audited? or it will only alert the user?
Thanks,
M
I have a security app that filters DNS traffic via a NEPacketTunnelProvider extension, blocking access to dangerous domains (malware, phishing etc). The DNS requests are sent to a DNS server that will resolve only the safe domains.
With Private Relay ON I still have access in the extension to all the DNS queries, but unfortunately, the user can still access those domains on the device, although DNS resolutions are blocked in the extension for specific domains. This happens only when Private Relay is ON, so practically the web browsing protection does not work anymore.
With Private Relay ON, I noticed DNS requests for mask.apple-dns.net domain resolved by the my DNS server.
How is this supposed to work?
Are other DNS requests sent to mask.apple-dns.net and not caught by our network extension? Is that supposed to happen?
a. Would a NXDOMAIN response for mask.apple-dns.net fix this behaviour and allow the app to offer protection while Private Relay ON?
b. Will any alert be displayed to the user in that case?
Do you have any other suggestions?
Could you clarify the behaviour for a NEPacketTunnelProvider extension processing only DNS requests?
I would have expected for the DNS name resolution queries to be processed only through the network extension.
An excerpt from "Get ready for iCloud Private Relay" says:
“Similarly, if your app provides a network extension to add VPN or app-proxying capabilities, your extension won't use Private Relay and neither will app traffic that uses your extension.”
“When a VPN configuration is active, connections use the VPN instead of iCloud Private Relay. Network Extension providers also don’t use iCloud Private Relay.”
I have also asked for help via Feedback Assistant (FB9623058).
Post not yet marked as solved
Will private relay require 1.3 be enabled on the webserver host?
Post not yet marked as solved
For visitors who are in California, will "region" level data be equitable to which state the visitor's IP address is located in? Geolocation of visitors can be and is used for California's Consumer Privacy Act.
Post not yet marked as solved
After upgrading to iCloud +, is the default Private Relay feature turned on or off by default?
Post not yet marked as solved
Will private relay come to Apple TV?
Post not yet marked as solved
Hi, I have an application that creates an encrypted DNS configuration (#wwdc20-10047) which redirects DNS queries for a specific domain to my DNSOverHTTPS server system wide using NEEvaluateConnectionRule(matchDomains: ...).
I was wondering how that would get affected by a user enabling Private Relay. An excerpt from "Get ready for iCloud Private Relay":
Similarly, if your app provides a network extension to add VPN or app-proxying capabilities, your extension won't use Private Relay and neither will app traffic that uses your extension.
Does it mean that both DNS and HTTPS traffic matching my domain(s) will not use Private Relay system wide?
In my use-case, my domain can be resolved while browsing web (using Safari, Chrome, etc.) as well as in other apps.
Thank you!
Post not yet marked as solved
I can't find documentation on how the Custom Email Domain feature in iCloud+ manages security configurations. Can someone point me in the right direction?
Can I allow/prevent others from using my personal domain?
Post not yet marked as solved
I keep testing the private relay email, sending it emails to see if I will receive anything using my private iCloud addresses. So far, nothing - Very concerning as these are important messages.
Thx for your help.
Post not yet marked as solved
Does anyone know why it is impossible to enable/test Private Relay even with an Apple One Premier subscription? Wouldn't it make sense that during the macOS Beta all users would be able to turn in on? This feature looks good on paper but the barrier to testing makes no sense.
Any help greatly appreciated.
andy2000.
