Returning NXDOMAIN to audit network traffic with iCloud Private Relay is not preventing iCloud Private Relay traffic

Question

jslawler OP

Created Dec ’22

Replies 2

Boosts 1

Views 1.4k

Participants 3

Hi,

This post is more for reference of the report in Feedback Assistant, but feel free to chime in with anything I've missed or not interpreted correctly.

I use a third party DNS resolver to filter network traffic (AdGuard DNS) across about 30 devices, many of which are devices which support iCloud Private Relay. To allow efficient auditing, iCloud Private Relay has to understandably be blocked.

When following Apple's recommendations to return NXDOMAIN to mask.icloud.com and mask-h2.icloud.com, this does not seem to have any effect at all on blocking iCloud Private Relay at all when blocked remotely as part of the AdGuard DNS service.

When checking the status of the iCloud Private Relay domains, I could confirm they were returning NXDOMAIN from the devices, yet the traffic still continued to bypass the blocking.

When blocking the iCloud Private Relay domains locally on the device via a Personal VPN user filter, Apple's recommendations seem to work correctly, immediately notifying me that iCloud Private Relay had been temporarily disabled, as I would have expected when returning NXDOMAIN from a third party service. This indicates to me that unless there is a firewall between the device with iCloud Private Relay and the internet the blocking would be effective, but if the firewall is outside the local network iCloud Private Relay seems to pass some DNS traffic through iCloud Private Relay as well as the users chosen DNS server.

Further DNS testing with dnscheck.tools shows that my DNS resolvers are both AdGuard DNS and iCloud Private Relay confirming the above.

DNS was setup both by a configuration profile and within a DNS providing app, which gave the same results. It was only when the iCloud Private Relay domains were blocked on-device that they were properly blocked.

Apple's dev docs state that:

When a VPN configuration is active, connections use the VPN instead of iCloud Private Relay. Network Extension providers also don’t use iCloud Private Relay.

This is also not true as iCloud Private Relay is also being detected outside the network when my VPN is active and iCloud Private Relay is blocked.

I also tested the above with other DNS resolvers such as NextDNS and ControlD with the same issues being experienced.

Feedback Assistant: FB11833118

Boost

Answer 1

Systems Engineer OP

Apple

Jan ’23

I cannot comment on the NXDOMAIN side of this but regarding:

This is also not true as iCloud Private Relay is also being detected outside the network when my VPN is active and iCloud Private Relay is blocked.

This may be because iCloud Private Relay is protecting traffic that your VPN is not claiming. If your VPN is claiming traffic for Safari as an example, then the VPN should take precedence over iCloud Private Relay. If you VPN is claiming specific app traffic then it would be normal to have iCloud Private Relay still claiming Safari traffic.

0

Answer 2

jig2418 OP

2w

We too have seen similar, if not the same things you’re saying.

We do not host internal DNS and rely on public NS. We can't configure an NXDOMAIN response to mask.icloud.com or mask-h2.icloud.com but we are using a firewall to block traffic to these domains, sending an ICMP unreachable response.

We can see blocked traffic to these domains but requests are still resolving using the NS mask.apple-dns.net. Apple’s documentation doesn’t mention any actions to take for this domain, however, its consistently one of the most accessed domains on our network.

0