Open emax810 opened 3 years ago
Hello. This Apple Private Relay service looks a lot like a VPN. Are you entirely sure that your devices continue using AGH as their only DNS server? Can you please provide the logs of requests? Thanks.
Hi,
i see these DNS requests for devices with "Private Relay" enable :
nothing else :(
While there isn't much detail on the inner workings of Private relay. What we know so far
I don't have access to developer build of iOS 15 to verify this but from what I gather it sounds like it tunnels/proxies Safari traffic through their servers and eventually to Cloudflare. Safari is most likely doing remote DNS bypassing the DoH settings on the device. I presume Safari content blockers would still work as they are applied by Safari itself.
These 2 domains look new as I don't see them on a network with devices running both iOS 14.6 & iPadOS 14.6. Second domain is a CNAME to first one.
mask.icloud.com
mask.apple-dns.net
I have a strong feeling that this isn't really an AGH issue, but we'll still need to investigate it and probably add it to the documentation. Hopefully, Safari has some kind of internal setting for this kind of thing.
DNS requests are made via the Private Relay so I don't think any software on the device can interfere without breaking the functionality (if that's even possible).
Apple says that Private Relay will also include DNS queries
From The Verge: https://www.theverge.com/2021/6/10/22526881/apple-icloud-plus-privacy-subscription-services-revenue-wwdc-2021
more documentation from Apple Developer :
Transcript
Damn. GitHub really needs to add a way to collapse a comment.
Well, probably you could configure AGH to be an encrypted DNS server (DOH or DOT) and route DNS traffic there by installing a DNS profile.
You can just disable it just for the network. Go to your wifi settings and press it 'i'. Scroll down and disable private relay. I don't think adguard home or other solutions will be able to bypass this easily.
Well what’s the point of paying for the feature if you’re going to end up disabling it?
Now this is just me, but I already pay for iCloud storage, so i'm not paying extra for iCloud relay. However, because you can disable it on specific wifi networks, you can still get the benefits when on public wifi etc.
Now this is just me, but I already pay for iCloud storage, so i'm not paying extra for iCloud relay. However, because you can disable it on specific wifi networks, you can still get the benefits when on public wifi etc.
true but generate a problem, in my case I have a DOH profile who enable DOH to AdHome when outside of my network, so your config will bypass this dns filtering when outside, and the app dns request will remain unsecured.
Apple's private relay includes DNS queries for privacy. They are sent as DoH requests to the specified domains that you are seeing. The only way you could get the best of both worlds is if Apple decides to let users use a custom DNS server rather than force their own. Aside from that, you're pretty much stuck with one or the other. You could block DoH requests to those domains (or DNS lookup on said domains), however that'll just kill off your DNS entirely and you'll be stuck with direct IP requests only (which is not ideal obviously).
If you want to use Private Relay, or any other kind of proxy/VPN service, then you should use AdGuard for Mac or AdGuard for iOS. If you're going to use a VPN there really isn't that much a DNS adblocker can do, aside from trying to block it by default and causing a flood of issues complaining about said block like Pi-Hole
imo AdGuard Home should provide a toggle in settings to block Private Relay, just not by default.
Can it be blocked on the DNS level?
Oh, cool, thank you!
@ainar-g we should add a new setting that suppresses Apple Private Relay.
I suggest enabling by default as Private Relay defeats the purpose of AdGuard Home. It should be possible to enable or disable this setting on the per-client basis.
Please assign this feature to a milestone.
@ainar-g we should add a new setting that suppresses Apple Private Relay.
I suggest enabling by default as Private Relay defeats the purpose of AdGuard Home. It should be possible to enable or disable this setting on the per-client basis.
Please assign this feature to a milestone.
I'd suggest adding it in the blocked services.
Well, blocked service is more of a "parental control" type of feature, and this one is of a greater scope.
Please DO NOT block private relay by default, pi-hole did this and it was a pain in the ass to figure out why my iPhone and Mac suddenly weren't connecting to private relay. It should be optional like the rest of the blockable services are
Well, the problem with private relay is that it's not just a "service", it basically circumvents AdGuard Home.
I am not sure how Pi-Hole did this, but we'll add a setting that will be visible in the UI, would it be enough to figure out what's disabling it?
DoH circumvents most all DNS servers, and that's what Apple's private relay is. It's a DoH service. If it can resolve its DoH domain(s) using regular DNS (via AdGuard, for example), then it can look up everything else through the relay via DoH. You would simply need to block those domain names that run the DoH relay, and it will never be able to get to it to perform DoH queries. That's all PiHole would have had to do.
I simply use Cloudflare for teams DNS and filter out DoH domains with it (there's a setting). That way it does Apple, Google, and any other known providers.
Well, the problem with private relay is that it's not just a "service", it basically circumvents AdGuard Home.
I am not sure how Pi-Hole did this, but we'll add a setting that will be visible in the UI, would it be enough to figure out what's disabling it?
me i "vote" to have into service section a section like "integrated vpn" who list all "app vpn" like the vpn of brave / firefox / apple relay/ etc who are embedded in software / os, and where their domain name are known.
and (with a warning like you have said) when on the main page we enable the XXX API to let the parents known they must enable this to "prevent" their child to circonvent it.
@ameshkov, I really don't think that that should be enabled by default.
I also agree that the feature sounds like something that should be in the Blocked Services section.
I also agree with who says that it shouldn't be enabled by default and again, IMHO, blocked services sounds the perfect fit for it.
For context, in case it can be useful to someone else, those are my custom rules that I was using so far to block it till when this will be implemented:
# Disable iCloud Private Relay
||mask.icloud.com^$important,dnsrewrite=NXDOMAIN;;
||mask-h2.icloud.com^$important,dnsrewrite=NXDOMAIN;;
Strange things. Dosable iCloud private relay, and still same effect. No iPhone route in AGH.
Strange things. Dosable iCloud private relay, and still same effect. No iPhone route in AGH.
for me i've installed tailscale iphone & server, so like that (under dns, override local dns and put the tailscale ip assigned to your server) and you dnsrequest will be forced by the vpn (wireguard) to your server (FOSS) and if you don't enable the exit node feature) only DNS request will be pushed by the vpn.
Let me explain my situation. Router (Tenda nova 5) configured with AGH DNS. My devices (i mean smarphones and MacBook) configured with AGH DNS too. And it works well (without my iPhone) With that config i ser how many request generale each device and i will not chang it. It have to be like now.
I disabled iCloud private relay and i was expecting my iPhone back to AGH route. But its not. Its only generate few requests.
But, sites which i visiting i see in AGH request just by router, not my iPhone. When my wife enter to some sites its under her smartphone requests in AGH. How to solve my situation?
I use Tailscale to connect homeassistant when not in local network (out of home).
I also agree with who says that it shouldn't be enabled by default and again, IMHO, blocked services sounds the perfect fit for it.
For context, in case it can be useful to someone else, those are my custom rules that I was using so far to block it till when this will be implemented:
# Disable iCloud Private Relay ||mask.icloud.com^$important,dnsrewrite=NXDOMAIN;; ||mask-h2.icloud.com^$important,dnsrewrite=NXDOMAIN;;
Thanks for sharing! But as of today, these don't seem to be working anymore. I used https://d3ward.github.io/toolz/adblock.html to verify if AdGuard Home was still filtering, and https://vpnapi.io/relay-detection to know if the iCloud Relay was active on my iPhone; despite the filtering rules, the iCloud Relay stays active somehow.
So far the only reliable way I've found is to go on the WiFi network settings and toggle "Limit IP address tracking" off. This of course isn't ideal, as I have to do this for every Apple device in my network.
Thanks for sharing! But as of today, these don't seem to be working anymore. I used https://d3ward.github.io/toolz/adblock.html to verify if AdGuard Home was still filtering, and https://vpnapi.io/relay-detection to know if the iCloud Relay was active on my iPhone; despite the filtering rules, the iCloud Relay stays active somehow.
So far the only reliable way I've found is to go on the WiFi network settings and toggle "Limit IP address tracking" off. This of course isn't ideal, as I have to do this for every Apple device in my network.
@gustakasn0v:
I toggled that option long time ago as well, but those rules still seem to be valid and should be checked by the device as stated in the Apple Developer portal page.
Me switching the refusal answer to nxdomain did the trick
I also agree with who says that it shouldn't be enabled by default and again, IMHO, blocked services sounds the perfect fit for it.
For context, in case it can be useful to someone else, those are my custom rules that I was using so far to block it till when this will be implemented:
# Disable iCloud Private Relay ||mask.icloud.com^$important,dnsrewrite=NXDOMAIN;; ||mask-h2.icloud.com^$important,dnsrewrite=NXDOMAIN;;
Thanks for sharing! But as of today, these don't seem to be working anymore. I used https://d3ward.github.io/toolz/adblock.html to verify if AdGuard Home was still filtering, and https://vpnapi.io/relay-detection to know if the iCloud Relay was active on my iPhone; despite the filtering rules, the iCloud Relay stays active somehow.
So far the only reliable way I've found is to go on the WiFi network settings and toggle "Limit IP address tracking" off. This of course isn't ideal, as I have to do this for every Apple device in my network.
Eureka! It didn't work immediately, but a couple hours later I got a prompt on my iPhone telling me my network wasn't compatible with iCloud Private Relay, and prompting me to disable it.
So this means this method works! Just FYI it may take a while for existing devices to detect it.
Prerequisites
Issue Details
After install first developer beta of iOS 15, iPadOS 15 and macOS 12 and enable "Privare Relay" from iCloud +, on this devices there are ADS everywhere.
Expected Behavior
Stop ads with enable Private Relay
Actual Behavior
ads everywhere
Screenshots
Additional Information
If I turn-off "Private Relay", AdGuard Home works without problems .