DNS Filter issues with iOS devices when iCloud private relay is on

[Mr.Navigator]

Hello all,

I'm experiencing issues specifically on iOS devices with private relay on, as it is bypassing DNS Filter entirely, meaning it's not blocking adult websites. I've tried different filters, even manually assigning the MAC address of a device to use the router settings, but no matter what I do, it's just not behaving as expected. Even manually setting the DNS IPv4 and IPv6 on the device, won't block adult websites. Issue is non-reproducible in windows devices and when private relay is disabled. Has anyone encounter a similar issue or dealing with a similar situation? What is your suggestion or resolution?

 

[RMerlin]

They use either DNS-over-TLS or DNS-over-HTTPS, which cannot be redirected by DNS Director because it uses a secure TLS connection to ensure that the DNS request isn't hijacked - which is what DNS Director in effect, hijacking DNS queries.

So you have to chose: Private Relay, or DNS Director. Can't use both.

 

[Treadler]

Hello all,

I'm experiencing issues specifically on iOS devices with private relay on, as it is bypassing DNS Filter entirely, meaning it's not blocking adult websites. I've tried different filters, even manually assigning the MAC address of a device to use the router settings, but no matter what I do, it's just not behaving as expected. Even manually setting the DNS IPv4 and IPv6 on the device, won't block adult websites. Issue is non-reproducible in windows devices and when private relay is disabled. Has anyone encounter a similar issue or dealing with a similar situation? What is your suggestion or resolution?

View attachment 49145

View attachment 49146

View attachment 49147

So far as I know, Apple Private Relay makes its own DNS arrangements independent of the router.
The only way to enforce your own DNS with Private Relay is to include it in a DNS profile, installed on each client.
Profile/s can be found here, maybe elsewhere as well?

Encrypted DNS Party

Encrypted DNS Configuration Profiles for Apple Devices

encrypted-dns.party

 

[Treadler]

An in depth explanation of Private Relay here…….

https://www.apple.com/au/privacy/docs/iCloud_Private_Relay_Overview_Dec2021.PDF

 

[vdemarco]

I tried adding to dnsmasq.conf.add

#block private relay
address=/mask.icloud.com/
address=/mask-h2.icloud.com/

which should (I think) show mask.icloud.com etc, as non existent hosts

which works from nslookup (on my machine)

500:[~]$ nslookup mask.icloud.com
Server: 2601:646:9e80:bb47::1
Address: 2601:646:9e80:bb47::1#53

** server can't find mask.icloud.com: NXDOMAIN

but when i turn on private relay it still works. I really want to block it completely. anyone figured out how?

 

[Treadler]

I tried adding to dnsmasq.conf.add

#block private relay
address=/mask.icloud.com/
address=/mask-h2.icloud.com/

which should (I think) show mask.icloud.com etc, as non existent hosts

which works from nslookup (on my machine)

500:[~]$ nslookup mask.icloud.com
Server: 2601:646:9e80:bb47::1
Address: 2601:646:9e80:bb47::1#53

** server can't find mask.icloud.com: NXDOMAIN

but when i turn on private relay it still works. I really want to block it completely. anyone figured out how?

Not possible IMHO.
Private relay bypasses dnsmasq totally, so whatever changes you make there will be irrelevant.

 

[beam_me_up]

Old thread and still looking for other posts….but I seem to be having success on this topic by blocking some common DoH providers and implementing this adlist on my Pihole - https://raw.githubusercontent.com/jpgpi250/piholemanual/master/DOH/DOHadb.txt

I’ve stopped hijacking dns in its tracks for everything I can test / think of but I’m sure there’s still some app I have sneaking.

Only pain is Apple devices are flooding my pi retrying constantly. I saw this so maybe there is a better way in my pi setup. https://community.fortinet.com/t5/F...loud-Private-Relay-from-bypassing/ta-p/228629

If anyone has hijacking tips or there is a better forum topic to review please point me, I’m new.

 

[Zastoff]

Do not know if this is related, I have DNS director set to router and i use dnscrypt-proxy (dnscrypt installer in amtm) mostly connect to my vpn server when i am not at home, but also use private dns on my Android phone sometimes, quad9 or cloudflare DoT.
When i have private dns enabled and connect to my WiFi or to my vpn server, i get a no internet message, I like this behavior=not bypassing router or filtering setup.


/Zastoff

 

[tnpapa]

As far as I have ever found there is only one filtering DNS service that can work with Private Relay and that is NextDNS. You have to install their profile on your Apple devices and it will work in conjunction with Private Relay. I do this on all my devices and it works great, my IP is hidden and Safari traffic goes through the tunnel but still gets filtered. NextDNS worked with Apple to have their mobileconfig profile integrate.