Hi,
This post is more for reference of the report in Feedback Assistant, but feel free to chime in with anything I've missed or not interpreted correctly.
I use a third party DNS resolver to filter network traffic (AdGuard DNS) across about 30 devices, many of which are devices which support iCloud Private Relay. To allow efficient auditing, iCloud Private Relay has to understandably be blocked.
When following Apple's recommendations to return NXDOMAIN to mask.icloud.com
and mask-h2.icloud.com,
this does not seem to have any effect at all on blocking iCloud Private Relay at all when blocked remotely as part of the AdGuard DNS service.
When checking the status of the iCloud Private Relay domains, I could confirm they were returning NXDOMAIN from the devices, yet the traffic still continued to bypass the blocking.
When blocking the iCloud Private Relay domains locally on the device via a Personal VPN user filter, Apple's recommendations seem to work correctly, immediately notifying me that iCloud Private Relay had been temporarily disabled, as I would have expected when returning NXDOMAIN from a third party service. This indicates to me that unless there is a firewall between the device with iCloud Private Relay and the internet the blocking would be effective, but if the firewall is outside the local network iCloud Private Relay seems to pass some DNS traffic through iCloud Private Relay as well as the users chosen DNS server.
Further DNS testing with dnscheck.tools shows that my DNS resolvers are both AdGuard DNS and iCloud Private Relay confirming the above.
DNS was setup both by a configuration profile and within a DNS providing app, which gave the same results. It was only when the iCloud Private Relay domains were blocked on-device that they were properly blocked.
Apple's dev docs state that:
When a VPN configuration is active, connections use the VPN instead of iCloud Private Relay. Network Extension providers also don’t use iCloud Private Relay.
This is also not true as iCloud Private Relay is also being detected outside the network when my VPN is active and iCloud Private Relay is blocked.
I also tested the above with other DNS resolvers such as NextDNS and ControlD with the same issues being experienced.
Feedback Assistant: FB11833118