Apple iCloud Private Relay is not blocked in Adguard DNS

[Batman2814]

Apple iCloud Private Relay is not blocked in Adguard DNS when I have the setting in Adguard DNS to specifically to block iCloud Private relay. I tested it when I turned on iCloud Private relay on my iPad and I was still getting internet and I went on Adguard services test page and the DNS wasn't detecting Adguard dns.

[ameshkov]

AdGuard DNS blocks it the way that Apple recommends. If it does not work, this is probably on Apple.

The only idea I suggest to check before reporting this: try reconnecting to the network after you start blocking the private relay. Maybe iOS/macOS devices only do the check on a network change.

[Batman2814]

I already did this. Would it be on Adguard to block iCloud Private relay. How does apple recommend the way the block it.

[Batman2814]

Why did you close the issue

[ameshkov]

https://developer.apple.com/support/prepare-your-network-for-icloud-private-relay/

mask.icloud.com
mask-h2.icloud.com

If these two domains cannot be resolved Apple Private Relay should stop working.

[Batman2814]

So I added these 2 domains to to the Blocklist in the filtering log rules and it did block iCloud private relay. For some reason even though I have iCloud private relay blocked in Adgaurd DNS those domains weren't being blocked.

[ameshkov]

Let's keep it open, just in case anyone else would check it.

I see no issues with this feature on our side, it works as expected and forces NXDOMAIN response for those domains.

[ghost]

There is definitely an issue,but who it's with, I'm not sure.

If AdGuard for iOS is the DNS implementation and the Private Relay domains are blocked in the AdGuard for iOS app, you will have no internet connectivity in Safari/Mail. Whether you're using split-tunnel or full tunnel makes no difference. Although the default blocking mode isn't NXDOMAIN on AdGuard for iOS, it doesn't seem to matter, I tested this also. This is the notification you get when Private Relay is being effectively blocked (this is from my device). As soon as those 2 Private relay domains are unblocked, the network is immediately back online as shown.

When blocking the domains in AdGuard DNS website whether it's manually, or using the tick box method, and using the same setup as above with the Private Relay domains unblocked on the device, it seems Private Relay is not actually being blocked. I can still browse in Safari and get Mail which should not be possible. I tested this both with the AdGuard for iOS app and the config profile. Both did not block the Private Relay domains, allowing free flowing internet.

[Batman2814]

Can u mark this as a bug because it's still not blocked if I remove it from my filter list with iCloud private relay set to Blocked in settings.

[ghost]

iOS 16.2 was just released. This is confirming the issue still exists on this update.

When returning NXDOMAIN to the Private Relay domains within the AdGuard for iOS app (DNS filtering) Private Relay gets blocked correctly as it's blocked locally on the device, causing Private Relay to notify the user.

When returning NXDOMAIN to the same domains within the AdGuard DNS web dashboard, Private Relay continues to bypass AdGuard DNS personal's filtering, operating as if nothing is changed.

[ghost]

Hi everyone,

So I can confirm that Block iCloud Private Relay settings are not working even if the devices are restarted after this rule is imposed. I did a little research and found the following domains which if blocked can serve the purpose of blocking iCloud Private Relay to operate.

apple-dns.net mask-api.icloud.com mask-h2.icloud.com

I have successfully tested this one and to make sure your settings work properly, clear the safari web browsing history and then quit the browser. Relaunch it and then you can see that Private Relay is no longer working.

[ghost]

Hi everyone,

So I can confirm that Block iCloud Private Relay settings are not working even if the devices are restarted after this rule is imposed. I did a little research and found the following domains which if blocked can serve the purpose of blocking iCloud Private Relay to operate.

`apple-dns.net

mask-api.icloud.com

mask-h2.icloud.com`

I have successfully tested this one and to make sure your settings work properly, clear the safari web browsing history and then quit the browser. Relaunch it and then you can see that Private Relay is no longer working.

Unfortunately I could not reproduce your result with the instructions provided.

iCloud Private Relay was still fully functioning on iOS and macOS (latest beta's).

Additionally apple-dns.net should not be blocked as it provides functionality to multiple Apple services, and is not specific to iCloud Private Relay. mask-api.icloud.com should also not be blocked as the developer documentation does not reference it meaning it could have other uses than just Private Relay we're not privy to.

The issue is very much with how Apple routes it's DNS queries on the system. If you use a VPN and filter the iCloud Private Relay domains specifically told to filter (on-device) it will stop it working immediately.

[ghost]

Hi there I am currently using AdGuard DNS 2.0 and from there I blocked through manual user rules. As of now for me it is working

So when my network changes and slightly connects to the open internet, the prompt occurs that private relay is available but when AdGuard restarts the protection and set my DoQ to AG DNS 2.0 it shows the prompt again that iCloud Private Relay is unavailable. I have four Apple devices, 2 iPhones and 2 Macs and now all are showing the same error with Private Relay. Just would want to thank you for the heads-up regarding the domains. I will continually watch the network and if something breaks like some Apple services or likewise I will remove those rules.

[ghost]

Hey,

Here is the link for Apple doc, https://www.apple.com/privacy/docs/iCloud_Private_Relay_Overview_Dec2021.PDF

Hi everyone,

So I can confirm that Block iCloud Private Relay settings are not working even if the devices are restarted after this rule is imposed. I did a little research and found the following domains which if blocked can serve the purpose of blocking iCloud Private Relay to operate.

`apple-dns.net

mask-api.icloud.com

mask-h2.icloud.com`

I have successfully tested this one and to make sure your settings work properly, clear the safari web browsing history and then quit the browser. Relaunch it and then you can see that Private Relay is no longer working.

Unfortunately I could not reproduce your result with the instructions provided.

iCloud Private Relay was still fully functioning on iOS and macOS (latest beta's).

Additionally apple-dns.net should not be blocked as it provides functionality to multiple Apple services, and is not specific to iCloud Private Relay. mask-api.icloud.com should also not be blocked as the developer documentation does not reference it meaning it could have other uses than just Private Relay we're not privy to.

The issue is very much with how Apple routes it's DNS queries on the system. If you use a VPN and filter the iCloud Private Relay domains specifically told to filter (on-device) it will stop it working immediately.

[ghost]

@twitterblue heres the website (non-PDF) version for convenience.

I've raised the issue one the Apple Developer forums, as well as raising a a ticket via the Feedback Assistant.

[ghost]

Additional information reported from NextDNS staff a year ago on the complications of Private Relay.

I haven't seen any behavioural changes in the last year, so I assume this is all still current. If that's the case, rewrites won't work at the moment (might affect AdGuard's safe search features when Private Relay is enabled?)

[Batman2814]

any idea when this will be fixed?

[Batman2814]

I still believe this is on Adguard DNS because when I turn off the domain rules in User rules mask-h2.icloud.com, and mask.icloud.com it is not blocked. The only way to stop those domains is to do it manually in user rules. I don't see how this error is on Apple's software side the way they have it set up because when I block those icloud private relays in the user ruler there stopped but when I disabled them and just have the box checked marked under the server settings that doesn't block icloud private relay.

[bigplayer-ai]

I found those responsible for iCloud private relay unblocking:

! iCloud Private Relay Unblocking
@@||mask-api.fe.apple-dns.net^
@@||mask-api.icloud.com^
@@||mask-h2.icloud.com^
@@||mask-t.apple-dns.net^
@@||mask.apple-dns.net^
@@||mask.icloud.com^

[ameshkov]

Where did you find these rules? I can't see them in AdGuard DNS filter.

[hagezi]

Block private relay and DoH bypass:

||doh.dns.apple.*^$important,dnsrewrite=NXDOMAIN
||mask*.icloud.com^$important,dnsrewrite=NXDOMAIN
||mask*.apple-dns.net^$important,dnsrewrite=NXDOMAIN

Unblock private relay and DoH bypass:

@@||doh.dns.apple.*^$important
@@||mask*.icloud.com^$important
@@||mask*.apple-dns.net^$important