Apple iCloud Private Relay Handling

Article author
Brian Gilstrap
  • Updated

As of iOS 15, iPadOS 15, and macOS Monterey, Apple began to utilize a private relay which could be used to bypass DNSFilter. As this is the case, DNSFilter categorizes mask.icloud.com and mask-h2.icloud.com as Proxy & Filter Avoidance. As such, if this threat category were turned on, these domains would be blocked and prevent any bypass. This could introduce issues as the end user wouldn't receive the blocked page since the private relay activates if a successful DNS response is received when using Safari and some other apps.

However, DNSFilter implemented an NXDOMAIN response, which means DNS resolution will never reach those relays. As per Apple's article, Prepare your network or web server for iCloud Private Relay, this is the preferred response to avoid any issues. The NXDOMAIN response allow Safari and other applications to function correctly without any worries.

As the default response to these domains, it will display a message that private relay is turned off for this specific network when viewing the Private Relay setting. No action is required. See the below images for what it shows on iOS and macOS.

SCR-20230313-oowj.pngSCR-20230313-nlqn.png

Was this article helpful?

1 out of 2 found this helpful

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.